154100x800000000000000022767Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:16.603{7E7FFDA1-39E4-5FCE-0000-0010B9AB2E00}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022768Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:16.602{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-39E4-5FCE-0000-0010B9AB2E00}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022769Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:16.602{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-39E4-5FCE-0000-0010B9AB2E00}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022770Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:16.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022771Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:16.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022772Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:16.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022773Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:16.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022774Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:16.602{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-39E4-5FCE-0000-0010B9AB2E00}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022758Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:15.259{7E7FFDA1-39E3-5FCE-0000-001090A92E00}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022759Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:15.259{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-39E3-5FCE-0000-001090A92E00}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022760Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:15.259{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-39E3-5FCE-0000-001090A92E00}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022761Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:15.259{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022762Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:15.259{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022763Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:15.259{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022764Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:15.259{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022765Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:15.259{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-39E3-5FCE-0000-001090A92E00}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022766Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:15.415{7E7FFDA1-39E3-5FCE-0000-001090A92E00}8202964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022741Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:14.056{7E7FFDA1-39E2-5FCE-0000-001032A62E00}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022742Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:14.056{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-39E2-5FCE-0000-001032A62E00}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022743Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:14.056{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-39E2-5FCE-0000-001032A62E00}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022744Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:14.056{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022745Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:14.056{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022746Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:14.056{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022747Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:14.056{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022748Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:14.056{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-39E2-5FCE-0000-001032A62E00}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022749Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:14.588{7E7FFDA1-39E2-5FCE-0000-0010E4A72E00}1396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022750Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:14.587{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-39E2-5FCE-0000-0010E4A72E00}1396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022751Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:14.587{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-39E2-5FCE-0000-0010E4A72E00}1396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022752Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:14.587{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022753Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:14.587{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022754Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:14.587{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022755Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:14.587{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022756Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:14.587{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-39E2-5FCE-0000-0010E4A72E00}1396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022757Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:14.727{7E7FFDA1-39E2-5FCE-0000-0010E4A72E00}13965176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022732Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:13.384{7E7FFDA1-39E1-5FCE-0000-00107CA42E00}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022733Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:13.384{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-39E1-5FCE-0000-00107CA42E00}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022734Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:13.384{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-39E1-5FCE-0000-00107CA42E00}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022735Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:13.384{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022736Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:13.384{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022737Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:13.384{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022738Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:13.384{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022739Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:13.384{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-39E1-5FCE-0000-00107CA42E00}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022740Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:13.524{7E7FFDA1-39E1-5FCE-0000-00107CA42E00}53004936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022723Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:12.509{7E7FFDA1-39E0-5FCE-0000-0010B4A22E00}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022724Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:12.509{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-39E0-5FCE-0000-0010B4A22E00}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022725Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:12.509{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-39E0-5FCE-0000-0010B4A22E00}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022726Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:12.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022727Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:12.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022728Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:12.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022729Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:12.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022730Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:12.509{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-39E0-5FCE-0000-0010B4A22E00}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022731Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:12.649{7E7FFDA1-39E0-5FCE-0000-0010B4A22E00}45245036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022715Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:11.572{7E7FFDA1-39DF-5FCE-0000-0010FDA02E00}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022716Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:11.571{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-39DF-5FCE-0000-0010FDA02E00}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022717Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:11.571{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-39DF-5FCE-0000-0010FDA02E00}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022718Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:11.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022719Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:11.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022720Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:11.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022721Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:11.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022722Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:11.571{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-39DF-5FCE-0000-0010FDA02E00}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000022712Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:18:20.618{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A47110B2-D436-47F8-BEA1-61CCEBF6C04E\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_A47110B2-D436-47F8-BEA1-61CCEBF6C04E.XML 13241300x800000000000000022713Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:18:20.618{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A47110B2-D436-47F8-BEA1-61CCEBF6C04E\Config SourceDWORD (0x00000001) 13241300x800000000000000022714Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:18:20.634{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9D191D6C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9D191D6C-0000-0000-0000-100000000000.XML 154100x800000000000000022704Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:16.588{7E7FFDA1-39A8-5FCE-0000-0010F8922E00}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022705Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:16.587{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-39A8-5FCE-0000-0010F8922E00}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022706Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:16.587{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-39A8-5FCE-0000-0010F8922E00}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022707Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:16.587{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022708Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:16.587{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022709Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:16.587{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022710Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:16.587{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022711Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:16.587{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-39A8-5FCE-0000-0010F8922E00}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022695Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:15.228{7E7FFDA1-39A7-5FCE-0000-00102F912E00}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022696Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:15.228{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-39A7-5FCE-0000-00102F912E00}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022697Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:15.228{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-39A7-5FCE-0000-00102F912E00}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022698Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:15.228{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022699Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:15.228{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022700Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:15.228{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022701Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:15.228{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022702Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:15.228{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-39A7-5FCE-0000-00102F912E00}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022703Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:15.368{7E7FFDA1-39A7-5FCE-0000-00102F912E00}28406576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022677Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:14.056{7E7FFDA1-39A6-5FCE-0000-0010738D2E00}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022678Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:14.056{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-39A6-5FCE-0000-0010738D2E00}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022679Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:14.056{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-39A6-5FCE-0000-0010738D2E00}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022680Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:14.056{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022681Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:14.056{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022682Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:14.056{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022683Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:14.056{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022684Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:14.056{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-39A6-5FCE-0000-0010738D2E00}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022685Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:14.196{7E7FFDA1-39A6-5FCE-0000-0010738D2E00}44687152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022686Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:14.556{7E7FFDA1-39A6-5FCE-0000-0010FC8E2E00}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022687Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:14.556{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-39A6-5FCE-0000-0010FC8E2E00}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022688Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:14.556{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-39A6-5FCE-0000-0010FC8E2E00}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022689Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:14.556{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022690Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:14.556{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022691Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:14.556{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022692Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:14.556{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022693Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:14.556{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-39A6-5FCE-0000-0010FC8E2E00}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022694Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:14.696{7E7FFDA1-39A6-5FCE-0000-0010FC8E2E00}53684948C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022669Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:13.385{7E7FFDA1-39A5-5FCE-0000-0010A48B2E00}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022670Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:13.384{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-39A5-5FCE-0000-0010A48B2E00}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022671Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:13.384{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-39A5-5FCE-0000-0010A48B2E00}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022672Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:13.384{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022673Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:13.384{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022674Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:13.384{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022675Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:13.384{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022676Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:13.384{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-39A5-5FCE-0000-0010A48B2E00}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022660Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:12.510{7E7FFDA1-39A4-5FCE-0000-0010D8892E00}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022661Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:12.509{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-39A4-5FCE-0000-0010D8892E00}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022662Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:12.509{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-39A4-5FCE-0000-0010D8892E00}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022663Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:12.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022664Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:12.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022665Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:12.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022666Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:12.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022667Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:12.509{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-39A4-5FCE-0000-0010D8892E00}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022668Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:12.649{7E7FFDA1-39A4-5FCE-0000-0010D8892E00}20844464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022652Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:11.572{7E7FFDA1-39A3-5FCE-0000-00102D882E00}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022653Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:11.571{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-39A3-5FCE-0000-00102D882E00}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022654Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:11.571{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-39A3-5FCE-0000-00102D882E00}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022655Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:11.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022656Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:11.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022657Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:11.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022658Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:11.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022659Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:11.571{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-39A3-5FCE-0000-00102D882E00}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022623Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022624Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022625Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022626Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022627Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022628Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022629Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022630Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022631Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022632Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022633Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022634Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022635Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022636Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022637Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022638Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022639Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022640Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022641Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022642Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022643Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022644Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022645Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022646Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022647Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022648Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022649Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022650Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022651Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022621Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:37.134{7E7FFDA1-18B1-5FCE-0000-001002BA0000}11526896C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022622Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:37.134{7E7FFDA1-18B1-5FCE-0000-001002BA0000}11526896C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022620Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:35.556{7E7FFDA1-18AF-5FCE-0000-001027540000}856896C:\Windows\system32\lsass.exe{7E7FFDA1-18AE-5FCE-0000-0010EB030000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 154100x800000000000000022612Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:16.572{7E7FFDA1-396C-5FCE-0000-0010517A2E00}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022613Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:16.571{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-396C-5FCE-0000-0010517A2E00}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022614Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:16.571{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-396C-5FCE-0000-0010517A2E00}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022615Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:16.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022616Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:16.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022617Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:16.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022618Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:16.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022619Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:16.571{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-396C-5FCE-0000-0010517A2E00}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022603Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:15.120{7E7FFDA1-396B-5FCE-0000-00101C782E00}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022604Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:15.118{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-396B-5FCE-0000-00101C782E00}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022605Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:15.118{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-396B-5FCE-0000-00101C782E00}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022606Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:15.118{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022607Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:15.118{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022608Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:15.118{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022609Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:15.118{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022610Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:15.118{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-396B-5FCE-0000-00101C782E00}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022611Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:15.259{7E7FFDA1-396B-5FCE-0000-00101C782E00}44965844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022594Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:14.557{7E7FFDA1-396A-5FCE-0000-00105C762E00}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022595Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:14.556{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-396A-5FCE-0000-00105C762E00}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022596Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:14.556{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-396A-5FCE-0000-00105C762E00}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022597Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:14.556{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022598Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:14.556{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022599Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:14.556{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022600Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:14.556{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022601Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:14.556{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-396A-5FCE-0000-00105C762E00}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022602Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:14.696{7E7FFDA1-396A-5FCE-0000-00105C762E00}44526832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022577Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:13.385{7E7FFDA1-3969-5FCE-0000-0010FC722E00}6752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022578Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:13.384{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3969-5FCE-0000-0010FC722E00}6752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022579Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:13.384{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3969-5FCE-0000-0010FC722E00}6752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022580Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:13.384{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022581Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:13.384{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022582Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:13.384{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022583Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:13.384{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022584Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:13.384{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3969-5FCE-0000-0010FC722E00}6752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022585Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:13.525{7E7FFDA1-3969-5FCE-0000-0010FC722E00}67522144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022586Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:13.885{7E7FFDA1-3969-5FCE-0000-0010BD742E00}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022587Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:13.884{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3969-5FCE-0000-0010BD742E00}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022588Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:13.884{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3969-5FCE-0000-0010BD742E00}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022589Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:13.884{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022590Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:13.884{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022591Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:13.884{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022592Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:13.884{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022593Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:13.884{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3969-5FCE-0000-0010BD742E00}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022568Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:12.510{7E7FFDA1-3968-5FCE-0000-001036712E00}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022569Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:12.509{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3968-5FCE-0000-001036712E00}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022570Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:12.509{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3968-5FCE-0000-001036712E00}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022571Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:12.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022572Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:12.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022573Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:12.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022574Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:12.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022575Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:12.509{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3968-5FCE-0000-001036712E00}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022576Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:12.650{7E7FFDA1-3968-5FCE-0000-001036712E00}69403300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022560Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:11.557{7E7FFDA1-3967-5FCE-0000-00108B6F2E00}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022561Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:11.556{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3967-5FCE-0000-00108B6F2E00}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022562Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:11.556{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3967-5FCE-0000-00108B6F2E00}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022563Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:11.556{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022564Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:11.556{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022565Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:11.556{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022566Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:11.556{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022567Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:11.556{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3967-5FCE-0000-00108B6F2E00}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022552Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:16.556{7E7FFDA1-3930-5FCE-0000-001003632E00}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022553Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:16.556{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3930-5FCE-0000-001003632E00}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022554Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:16.556{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3930-5FCE-0000-001003632E00}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022555Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:16.556{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022556Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:16.556{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022557Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:16.556{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022558Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:16.556{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022559Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:16.556{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3930-5FCE-0000-001003632E00}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022543Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:15.198{7E7FFDA1-392F-5FCE-0000-00101D612E00}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022544Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:15.196{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-392F-5FCE-0000-00101D612E00}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022545Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:15.196{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-392F-5FCE-0000-00101D612E00}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022546Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:15.196{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022547Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:15.196{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022548Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:15.196{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022549Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:15.196{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022550Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:15.196{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-392F-5FCE-0000-00101D612E00}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022551Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:15.337{7E7FFDA1-392F-5FCE-0000-00101D612E00}27403712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022525Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:14.056{7E7FFDA1-392E-5FCE-0000-0010685D2E00}6548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022526Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:14.056{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-392E-5FCE-0000-0010685D2E00}6548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022527Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:14.056{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-392E-5FCE-0000-0010685D2E00}6548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022528Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:14.056{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022529Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:14.056{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022530Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:14.056{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022531Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:14.056{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022532Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:14.056{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-392E-5FCE-0000-0010685D2E00}6548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022533Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:14.196{7E7FFDA1-392E-5FCE-0000-0010685D2E00}65484148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022534Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:14.603{7E7FFDA1-392E-5FCE-0000-0010105F2E00}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022535Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:14.602{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-392E-5FCE-0000-0010105F2E00}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022536Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:14.602{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-392E-5FCE-0000-0010105F2E00}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022537Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:14.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022538Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:14.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022539Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:14.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022540Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:14.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022541Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:14.602{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-392E-5FCE-0000-0010105F2E00}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022542Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:14.743{7E7FFDA1-392E-5FCE-0000-0010105F2E00}49446280C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022517Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:13.384{7E7FFDA1-392D-5FCE-0000-00109A5B2E00}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022518Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:13.384{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-392D-5FCE-0000-00109A5B2E00}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022519Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:13.384{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-392D-5FCE-0000-00109A5B2E00}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022520Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:13.384{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022521Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:13.384{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022522Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:13.384{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022523Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:13.384{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022524Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:13.384{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-392D-5FCE-0000-00109A5B2E00}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022508Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:12.509{7E7FFDA1-392C-5FCE-0000-0010EE592E00}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022509Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:12.509{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-392C-5FCE-0000-0010EE592E00}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022510Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:12.509{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-392C-5FCE-0000-0010EE592E00}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022511Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:12.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022512Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:12.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022513Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:12.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022514Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:12.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022515Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:12.509{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-392C-5FCE-0000-0010EE592E00}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022516Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:12.649{7E7FFDA1-392C-5FCE-0000-0010EE592E00}50204916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022500Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:11.556{7E7FFDA1-392B-5FCE-0000-00103A582E00}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022501Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:11.556{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-392B-5FCE-0000-00103A582E00}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022502Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:11.556{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-392B-5FCE-0000-00103A582E00}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022503Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:11.556{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022504Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:11.556{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022505Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:11.556{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022506Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:11.556{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022507Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:11.556{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-392B-5FCE-0000-00103A582E00}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000022490Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:15:58.430{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6ccab-0xdd71065a) 13241300x800000000000000022491Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:15:58.430{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6cca3-0x7bac9e5a) 13241300x800000000000000022492Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:15:58.430{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6cc9b-0x19e8365a) 13241300x800000000000000022493Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:15:58.430{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x007ec7ee) 13241300x800000000000000022494Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:15:58.430{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000022495Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:15:58.430{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6ccab-0xdd71065a) 13241300x800000000000000022496Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:15:58.430{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6cca3-0x7bac9e5a) 13241300x800000000000000022497Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:15:58.430{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6cc9b-0x19e8365a) 13241300x800000000000000022498Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:15:58.430{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x007ec7ee) 13241300x800000000000000022499Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:15:58.430{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 10341000x800000000000000022461Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022462Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022463Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022464Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022465Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022466Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022467Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022468Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022469Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022470Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022471Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022472Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022473Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022474Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022475Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022476Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022477Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022478Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022479Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022480Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022481Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022482Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022483Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022484Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022485Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022486Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022487Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022488Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022489Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022460Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:40.243{7E7FFDA1-18AF-5FCE-0000-001027540000}856896C:\Windows\system32\lsass.exe{7E7FFDA1-18AE-5FCE-0000-0010EB030000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000022457Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:37.462{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022458Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:37.462{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022459Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:37.462{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022449Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:16.556{7E7FFDA1-38F4-5FCE-0000-0010F7452E00}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022450Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:16.555{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-38F4-5FCE-0000-0010F7452E00}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022451Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:16.555{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-38F4-5FCE-0000-0010F7452E00}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022452Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:16.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022453Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:16.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022454Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:16.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022455Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:16.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022456Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:16.555{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-38F4-5FCE-0000-0010F7452E00}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022440Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:15.275{7E7FFDA1-38F3-5FCE-0000-001033442E00}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022441Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:15.274{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-38F3-5FCE-0000-001033442E00}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022442Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:15.274{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-38F3-5FCE-0000-001033442E00}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022443Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:15.274{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022444Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:15.274{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022445Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:15.274{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022446Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:15.274{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022447Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:15.274{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-38F3-5FCE-0000-001033442E00}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022448Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:15.415{7E7FFDA1-38F3-5FCE-0000-001033442E00}9842784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022423Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:14.056{7E7FFDA1-38F2-5FCE-0000-00106B402E00}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022424Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:14.055{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-38F2-5FCE-0000-00106B402E00}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022425Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:14.055{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-38F2-5FCE-0000-00106B402E00}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022426Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022427Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022428Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022429Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022430Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:14.055{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-38F2-5FCE-0000-00106B402E00}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022431Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:14.603{7E7FFDA1-38F2-5FCE-0000-001008422E00}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022432Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:14.602{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-38F2-5FCE-0000-001008422E00}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022433Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:14.602{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-38F2-5FCE-0000-001008422E00}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022434Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:14.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022435Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:14.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022436Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:14.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022437Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:14.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022438Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:14.602{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-38F2-5FCE-0000-001008422E00}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022439Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:14.743{7E7FFDA1-38F2-5FCE-0000-001008422E00}61606796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022414Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:13.384{7E7FFDA1-38F1-5FCE-0000-0010A73E2E00}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022415Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:13.383{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-38F1-5FCE-0000-0010A73E2E00}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022416Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:13.383{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-38F1-5FCE-0000-0010A73E2E00}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022417Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022418Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022419Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022420Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022421Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:13.383{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-38F1-5FCE-0000-0010A73E2E00}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022422Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:13.524{7E7FFDA1-38F1-5FCE-0000-0010A73E2E00}60003632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022405Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:12.509{7E7FFDA1-38F0-5FCE-0000-0010DB3C2E00}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022406Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:12.508{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-38F0-5FCE-0000-0010DB3C2E00}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022407Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:12.508{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-38F0-5FCE-0000-0010DB3C2E00}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022408Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022409Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022410Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022411Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022412Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:12.508{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-38F0-5FCE-0000-0010DB3C2E00}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022413Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:12.649{7E7FFDA1-38F0-5FCE-0000-0010DB3C2E00}66243972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022397Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:11.540{7E7FFDA1-38EF-5FCE-0000-00102E3B2E00}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022398Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:11.540{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-38EF-5FCE-0000-00102E3B2E00}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022399Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:11.540{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-38EF-5FCE-0000-00102E3B2E00}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022400Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:11.540{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022401Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:11.540{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022402Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:11.540{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022403Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:11.540{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022404Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:11.540{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-38EF-5FCE-0000-00102E3B2E00}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022389Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:16.540{7E7FFDA1-38B8-5FCE-0000-00102B2F2E00}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022390Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:16.539{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-38B8-5FCE-0000-00102B2F2E00}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022391Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:16.539{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-38B8-5FCE-0000-00102B2F2E00}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022392Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:16.539{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022393Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:16.539{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022394Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:16.539{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022395Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:16.539{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022396Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:16.539{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-38B8-5FCE-0000-00102B2F2E00}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022380Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:15.337{7E7FFDA1-38B7-5FCE-0000-0010F62C2E00}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022381Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:15.336{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-38B7-5FCE-0000-0010F62C2E00}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022382Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:15.336{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-38B7-5FCE-0000-0010F62C2E00}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022383Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:15.336{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022384Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:15.336{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022385Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:15.336{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022386Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:15.336{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022387Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:15.336{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-38B7-5FCE-0000-0010F62C2E00}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022388Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:15.477{7E7FFDA1-38B7-5FCE-0000-0010F62C2E00}60484444C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022370Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:14.133{7E7FFDA1-38B5-5FCE-0000-0010AC292E00}65246572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022371Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:14.665{7E7FFDA1-38B6-5FCE-0000-00103A2B2E00}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022372Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:14.664{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-38B6-5FCE-0000-00103A2B2E00}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022373Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:14.664{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-38B6-5FCE-0000-00103A2B2E00}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022374Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:14.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022375Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:14.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022376Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:14.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022377Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:14.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022378Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:14.664{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-38B6-5FCE-0000-00103A2B2E00}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022379Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:14.805{7E7FFDA1-38B6-5FCE-0000-00103A2B2E00}26564428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022354Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:13.384{7E7FFDA1-38B5-5FCE-0000-0010DE272E00}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022355Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:13.383{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-38B5-5FCE-0000-0010DE272E00}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022356Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:13.383{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-38B5-5FCE-0000-0010DE272E00}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022357Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022358Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022359Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022360Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022361Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:13.383{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-38B5-5FCE-0000-0010DE272E00}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022362Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:13.994{7E7FFDA1-38B5-5FCE-0000-0010AC292E00}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022363Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:13.992{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-38B5-5FCE-0000-0010AC292E00}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022364Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:13.992{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-38B5-5FCE-0000-0010AC292E00}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022365Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:13.992{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022366Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:13.992{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022367Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:13.992{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022368Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:13.992{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022369Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:13.992{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-38B5-5FCE-0000-0010AC292E00}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022345Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:12.509{7E7FFDA1-38B4-5FCE-0000-001016262E00}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022346Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:12.508{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-38B4-5FCE-0000-001016262E00}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022347Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:12.508{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-38B4-5FCE-0000-001016262E00}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022348Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022349Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022350Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022351Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022352Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:12.508{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-38B4-5FCE-0000-001016262E00}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022353Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:12.649{7E7FFDA1-38B4-5FCE-0000-001016262E00}4552600C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022337Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:11.525{7E7FFDA1-38B3-5FCE-0000-00106C242E00}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022338Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:11.524{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-38B3-5FCE-0000-00106C242E00}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022339Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:11.524{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-38B3-5FCE-0000-00106C242E00}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022340Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:11.524{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022341Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:11.524{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022342Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:11.524{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022343Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:11.524{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022344Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:11.524{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-38B3-5FCE-0000-00106C242E00}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022308Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022309Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022310Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022311Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022312Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022313Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022314Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022315Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022316Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022317Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022318Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022319Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022320Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022321Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022322Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022323Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022324Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022325Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022326Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022327Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022328Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022329Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022330Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022331Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022332Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022333Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022334Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022335Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022336Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000022305Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:13:20.273{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A47110B2-D436-47F8-BEA1-61CCEBF6C04E\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_A47110B2-D436-47F8-BEA1-61CCEBF6C04E.XML 13241300x800000000000000022306Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:13:20.273{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A47110B2-D436-47F8-BEA1-61CCEBF6C04E\Config SourceDWORD (0x00000001) 13241300x800000000000000022307Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:13:20.273{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9D191D6C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9D191D6C-0000-0000-0000-100000000000.XML 154100x800000000000000022297Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:16.524{7E7FFDA1-387C-5FCE-0000-0010BF012E00}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022298Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:16.523{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-387C-5FCE-0000-0010BF012E00}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022299Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:16.523{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-387C-5FCE-0000-0010BF012E00}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022300Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:16.523{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022301Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:16.523{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022302Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:16.523{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022303Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:16.523{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022304Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:16.523{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-387C-5FCE-0000-0010BF012E00}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022288Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:15.352{7E7FFDA1-387B-5FCE-0000-0010F6FF2D00}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022289Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:15.352{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-387B-5FCE-0000-0010F6FF2D00}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022290Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:15.352{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-387B-5FCE-0000-0010F6FF2D00}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022291Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:15.352{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022292Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:15.352{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022293Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:15.352{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022294Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:15.352{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022295Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:15.352{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-387B-5FCE-0000-0010F6FF2D00}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022296Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:15.492{7E7FFDA1-387B-5FCE-0000-0010F6FF2D00}22362488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022271Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:14.009{7E7FFDA1-387A-5FCE-0000-001030FC2D00}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022272Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:14.008{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-387A-5FCE-0000-001030FC2D00}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022273Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:14.008{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-387A-5FCE-0000-001030FC2D00}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022274Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:14.008{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022275Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:14.008{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022276Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:14.008{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022277Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:14.008{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022278Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:14.008{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-387A-5FCE-0000-001030FC2D00}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022279Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:14.680{7E7FFDA1-387A-5FCE-0000-0010E2FD2D00}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022280Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:14.680{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-387A-5FCE-0000-0010E2FD2D00}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022281Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:14.680{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-387A-5FCE-0000-0010E2FD2D00}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022282Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:14.680{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022283Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:14.680{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022284Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:14.680{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022285Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:14.680{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022286Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:14.680{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-387A-5FCE-0000-0010E2FD2D00}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022287Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:14.836{7E7FFDA1-387A-5FCE-0000-0010E2FD2D00}41286700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022262Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:13.384{7E7FFDA1-3879-5FCE-0000-001084FA2D00}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022263Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:13.383{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3879-5FCE-0000-001084FA2D00}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022264Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:13.383{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3879-5FCE-0000-001084FA2D00}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022265Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022266Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022267Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022268Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022269Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:13.383{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3879-5FCE-0000-001084FA2D00}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022270Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:13.523{7E7FFDA1-3879-5FCE-0000-001084FA2D00}55487036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022253Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:12.509{7E7FFDA1-3878-5FCE-0000-0010B2F82D00}5540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022254Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:12.508{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3878-5FCE-0000-0010B2F82D00}5540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022255Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:12.508{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3878-5FCE-0000-0010B2F82D00}5540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022256Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022257Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022258Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022259Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022260Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:12.508{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3878-5FCE-0000-0010B2F82D00}5540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022261Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:12.648{7E7FFDA1-3878-5FCE-0000-0010B2F82D00}55405600C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022245Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:11.680{7E7FFDA1-3877-5FCE-0000-00101DF72D00}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022246Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:11.680{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3877-5FCE-0000-00101DF72D00}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022247Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:11.680{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3877-5FCE-0000-00101DF72D00}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022248Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:11.680{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022249Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:11.680{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022250Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:11.680{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022251Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:11.680{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022252Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:11.680{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3877-5FCE-0000-00101DF72D00}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022237Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:16.508{7E7FFDA1-3840-5FCE-0000-00108EEA2D00}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022238Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:16.508{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3840-5FCE-0000-00108EEA2D00}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022239Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:16.508{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3840-5FCE-0000-00108EEA2D00}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022240Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:16.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022241Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:16.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022242Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:16.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022243Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:16.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022244Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:16.508{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3840-5FCE-0000-00108EEA2D00}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022228Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:15.196{7E7FFDA1-383F-5FCE-0000-0010AFE82D00}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022229Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:15.195{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-383F-5FCE-0000-0010AFE82D00}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022230Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:15.195{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-383F-5FCE-0000-0010AFE82D00}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022231Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:15.195{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022232Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:15.195{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022233Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:15.195{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022234Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:15.195{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022235Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:15.195{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-383F-5FCE-0000-0010AFE82D00}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022236Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:15.336{7E7FFDA1-383F-5FCE-0000-0010AFE82D00}53122188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022219Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:14.525{7E7FFDA1-383E-5FCE-0000-0010B3E62D00}1392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022220Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:14.523{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-383E-5FCE-0000-0010B3E62D00}1392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022221Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:14.523{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-383E-5FCE-0000-0010B3E62D00}1392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022222Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:14.523{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022223Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:14.523{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022224Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:14.523{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022225Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:14.523{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022226Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:14.523{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-383E-5FCE-0000-0010B3E62D00}1392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022227Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:14.664{7E7FFDA1-383E-5FCE-0000-0010B3E62D00}13921448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022202Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:13.383{7E7FFDA1-383D-5FCE-0000-00104EE32D00}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022203Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:13.383{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-383D-5FCE-0000-00104EE32D00}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022204Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:13.383{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-383D-5FCE-0000-00104EE32D00}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022205Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022206Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022207Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022208Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022209Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:13.383{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-383D-5FCE-0000-00104EE32D00}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022210Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:13.523{7E7FFDA1-383D-5FCE-0000-00104EE32D00}61165228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022211Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:13.993{7E7FFDA1-383D-5FCE-0000-0010DCE42D00}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022212Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:13.992{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-383D-5FCE-0000-0010DCE42D00}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022213Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:13.992{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-383D-5FCE-0000-0010DCE42D00}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022214Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:13.992{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022215Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:13.992{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022216Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:13.992{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022217Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:13.992{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022218Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:13.992{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-383D-5FCE-0000-0010DCE42D00}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022193Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:12.508{7E7FFDA1-383C-5FCE-0000-001087E12D00}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022194Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:12.508{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-383C-5FCE-0000-001087E12D00}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022195Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:12.508{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-383C-5FCE-0000-001087E12D00}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022196Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022197Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022198Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022199Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022200Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:12.508{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-383C-5FCE-0000-001087E12D00}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022201Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:12.648{7E7FFDA1-383C-5FCE-0000-001087E12D00}70202964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022185Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:11.665{7E7FFDA1-383B-5FCE-0000-0010D6DF2D00}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022186Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:11.664{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-383B-5FCE-0000-0010D6DF2D00}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022187Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:11.664{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-383B-5FCE-0000-0010D6DF2D00}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022188Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:11.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022189Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:11.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022190Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:11.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022191Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:11.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022192Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:11.664{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-383B-5FCE-0000-0010D6DF2D00}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000022184Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:11:45.570{7E7FFDA1-18B1-5FCE-0000-001008C50000}1204C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6cca2-0xe52cf207) 10341000x800000000000000022183Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:40.992{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}6126920C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-001002BA0000}1152C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022175Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:16.508{7E7FFDA1-3804-5FCE-0000-0010C3D32D00}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022176Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:16.507{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3804-5FCE-0000-0010C3D32D00}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022177Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:16.507{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3804-5FCE-0000-0010C3D32D00}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022178Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:16.507{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022179Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:16.507{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022180Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:16.507{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022181Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:16.507{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022182Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:16.507{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3804-5FCE-0000-0010C3D32D00}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022166Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:15.321{7E7FFDA1-3803-5FCE-0000-0010FFD12D00}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022167Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:15.320{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3803-5FCE-0000-0010FFD12D00}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022168Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:15.320{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3803-5FCE-0000-0010FFD12D00}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022169Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:15.320{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022170Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:15.320{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022171Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:15.320{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022172Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:15.320{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022173Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:15.320{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3803-5FCE-0000-0010FFD12D00}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022174Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:15.461{7E7FFDA1-3803-5FCE-0000-0010FFD12D00}68042692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022156Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:14.117{7E7FFDA1-3801-5FCE-0000-001044CE2D00}69766992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022157Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:14.649{7E7FFDA1-3802-5FCE-0000-0010E1CF2D00}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022158Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:14.648{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3802-5FCE-0000-0010E1CF2D00}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022159Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:14.648{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3802-5FCE-0000-0010E1CF2D00}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022160Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:14.648{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022161Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:14.648{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022162Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:14.648{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022163Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:14.648{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022164Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:14.648{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3802-5FCE-0000-0010E1CF2D00}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022165Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:14.789{7E7FFDA1-3802-5FCE-0000-0010E1CF2D00}16086064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022140Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:13.383{7E7FFDA1-3801-5FCE-0000-001083CC2D00}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022141Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:13.382{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3801-5FCE-0000-001083CC2D00}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022142Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:13.382{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3801-5FCE-0000-001083CC2D00}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022143Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:13.382{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022144Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:13.382{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022145Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:13.382{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022146Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:13.382{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022147Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:13.382{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3801-5FCE-0000-001083CC2D00}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022148Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:13.977{7E7FFDA1-3801-5FCE-0000-001044CE2D00}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022149Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:13.976{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3801-5FCE-0000-001044CE2D00}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022150Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:13.976{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3801-5FCE-0000-001044CE2D00}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022151Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:13.976{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022152Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:13.976{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022153Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:13.976{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022154Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:13.976{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022155Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:13.976{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3801-5FCE-0000-001044CE2D00}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022131Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:12.508{7E7FFDA1-3800-5FCE-0000-0010BFCA2D00}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022132Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:12.507{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3800-5FCE-0000-0010BFCA2D00}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022133Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:12.507{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-3800-5FCE-0000-0010BFCA2D00}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022134Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:12.507{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022135Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:12.507{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022136Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:12.507{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022137Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:12.507{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022138Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:12.507{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3800-5FCE-0000-0010BFCA2D00}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022139Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:12.648{7E7FFDA1-3800-5FCE-0000-0010BFCA2D00}58127124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022123Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:11.664{7E7FFDA1-37FF-5FCE-0000-00100AC92D00}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022124Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:11.664{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-37FF-5FCE-0000-00100AC92D00}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022125Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:11.664{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-37FF-5FCE-0000-00100AC92D00}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022126Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:11.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022127Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:11.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022128Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:11.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022129Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:11.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022130Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:11.664{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-37FF-5FCE-0000-00100AC92D00}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000022113Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:10:58.414{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6ccab-0x2a9e5e6a) 13241300x800000000000000022114Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:10:58.414{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6cca2-0xc8d9f66a) 13241300x800000000000000022115Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:10:58.414{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6cc9a-0x67158e6a) 13241300x800000000000000022116Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:10:58.414{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x007a33ff) 13241300x800000000000000022117Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:10:58.414{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000022118Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:10:58.414{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6ccab-0x2a9e5e6a) 13241300x800000000000000022119Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:10:58.414{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6cca2-0xc8d9f66a) 13241300x800000000000000022120Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:10:58.414{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6cc9a-0x67158e6a) 13241300x800000000000000022121Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:10:58.414{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x007a33ff) 13241300x800000000000000022122Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:10:58.414{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 10341000x800000000000000022112Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:40.117{7E7FFDA1-18AF-5FCE-0000-001027540000}856896C:\Windows\system32\lsass.exe{7E7FFDA1-18AE-5FCE-0000-0010EB030000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000022109Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:37.445{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022110Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:37.445{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022111Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:37.445{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022101Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:16.508{7E7FFDA1-37C8-5FCE-0000-001092B72D00}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022102Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:16.507{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-37C8-5FCE-0000-001092B72D00}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022103Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:16.507{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-37C8-5FCE-0000-001092B72D00}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022104Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:16.507{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022105Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:16.507{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022106Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:16.507{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022107Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:16.507{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022108Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:16.507{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-37C8-5FCE-0000-001092B72D00}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022092Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:15.305{7E7FFDA1-37C7-5FCE-0000-0010CDB52D00}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022093Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:15.304{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-37C7-5FCE-0000-0010CDB52D00}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022094Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:15.304{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-37C7-5FCE-0000-0010CDB52D00}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022095Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:15.304{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022096Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:15.304{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022097Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:15.304{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022098Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:15.304{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022099Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:15.304{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-37C7-5FCE-0000-0010CDB52D00}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022100Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:15.445{7E7FFDA1-37C7-5FCE-0000-0010CDB52D00}63004332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022082Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:14.101{7E7FFDA1-37C5-5FCE-0000-001011B22D00}67366672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022083Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:14.633{7E7FFDA1-37C6-5FCE-0000-0010A0B32D00}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022084Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:14.633{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-37C6-5FCE-0000-0010A0B32D00}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022085Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:14.633{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-37C6-5FCE-0000-0010A0B32D00}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022086Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:14.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022087Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:14.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022088Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:14.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022089Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:14.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022090Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:14.633{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-37C6-5FCE-0000-0010A0B32D00}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022091Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:14.789{7E7FFDA1-37C6-5FCE-0000-0010A0B32D00}56246684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022066Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:13.383{7E7FFDA1-37C5-5FCE-0000-001049B02D00}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022067Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:13.382{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-37C5-5FCE-0000-001049B02D00}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022068Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:13.382{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-37C5-5FCE-0000-001049B02D00}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022069Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:13.382{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022070Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:13.382{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022071Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:13.382{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022072Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:13.382{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022073Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:13.382{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-37C5-5FCE-0000-001049B02D00}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022074Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:13.962{7E7FFDA1-37C5-5FCE-0000-001011B22D00}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022075Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:13.961{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-37C5-5FCE-0000-001011B22D00}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022076Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:13.961{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-37C5-5FCE-0000-001011B22D00}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022077Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:13.961{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022078Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:13.961{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022079Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:13.961{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022080Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:13.961{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022081Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:13.961{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-37C5-5FCE-0000-001011B22D00}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022057Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:12.508{7E7FFDA1-37C4-5FCE-0000-001077AE2D00}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022058Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:12.508{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-37C4-5FCE-0000-001077AE2D00}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022059Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:12.508{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-37C4-5FCE-0000-001077AE2D00}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022060Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022061Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022062Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022063Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022064Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:12.508{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-37C4-5FCE-0000-001077AE2D00}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022065Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:12.648{7E7FFDA1-37C4-5FCE-0000-001077AE2D00}22645364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022049Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:11.649{7E7FFDA1-37C3-5FCE-0000-0010C2AC2D00}5804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022050Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:11.648{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-37C3-5FCE-0000-0010C2AC2D00}5804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022051Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:11.648{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-37C3-5FCE-0000-0010C2AC2D00}5804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022052Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:11.648{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022053Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:11.648{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022054Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:11.648{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022055Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:11.648{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022056Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:11.648{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-37C3-5FCE-0000-0010C2AC2D00}5804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022020Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022021Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022022Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022023Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022024Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022025Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022026Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022027Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022028Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022029Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022030Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022031Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022032Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022033Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022034Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022035Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022036Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022037Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022038Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022039Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022040Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022041Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022042Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022043Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022044Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022045Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022046Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022047Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022048Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000022019Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:09:37.711{7E7FFDA1-18B1-5FCE-0000-001008C50000}1204C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6cca2-0x98f730c9) 154100x800000000000000022011Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:16.508{7E7FFDA1-378C-5FCE-0000-0010FF9F2D00}5540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022012Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:16.508{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-378C-5FCE-0000-0010FF9F2D00}5540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022013Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:16.508{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-378C-5FCE-0000-0010FF9F2D00}5540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022014Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:16.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022015Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:16.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022016Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:16.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022017Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:16.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022018Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:16.508{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-378C-5FCE-0000-0010FF9F2D00}5540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022002Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:15.305{7E7FFDA1-378B-5FCE-0000-0010449E2D00}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022003Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:15.304{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-378B-5FCE-0000-0010449E2D00}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022004Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:15.304{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-378B-5FCE-0000-0010449E2D00}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022005Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:15.304{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022006Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:15.304{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022007Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:15.304{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022008Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:15.304{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022009Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:15.304{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-378B-5FCE-0000-0010449E2D00}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022010Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:15.445{7E7FFDA1-378B-5FCE-0000-0010449E2D00}52806068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021993Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:14.633{7E7FFDA1-378A-5FCE-0000-0010229C2D00}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021994Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:14.633{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-378A-5FCE-0000-0010229C2D00}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021995Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:14.633{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-378A-5FCE-0000-0010229C2D00}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021996Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:14.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021997Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:14.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021998Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:14.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021999Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:14.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022000Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:14.633{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-378A-5FCE-0000-0010229C2D00}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022001Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:14.773{7E7FFDA1-378A-5FCE-0000-0010229C2D00}24006256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021976Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:13.383{7E7FFDA1-3789-5FCE-0000-0010C2982D00}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021977Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:13.383{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3789-5FCE-0000-0010C2982D00}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021978Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:13.383{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-3789-5FCE-0000-0010C2982D00}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021979Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021980Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021981Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021982Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021983Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:13.383{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3789-5FCE-0000-0010C2982D00}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021984Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:13.523{7E7FFDA1-3789-5FCE-0000-0010C2982D00}42565160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021985Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:13.962{7E7FFDA1-3789-5FCE-0000-00106B9A2D00}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021986Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:13.961{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3789-5FCE-0000-00106B9A2D00}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021987Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:13.961{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3789-5FCE-0000-00106B9A2D00}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021988Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:13.961{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021989Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:13.961{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021990Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:13.961{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021991Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:13.961{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021992Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:13.961{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3789-5FCE-0000-00106B9A2D00}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021967Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:12.508{7E7FFDA1-3788-5FCE-0000-0010F7962D00}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021968Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:12.508{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3788-5FCE-0000-0010F7962D00}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021969Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:12.508{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-3788-5FCE-0000-0010F7962D00}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021970Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021971Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021972Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021973Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021974Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:12.508{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3788-5FCE-0000-0010F7962D00}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021975Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:12.648{7E7FFDA1-3788-5FCE-0000-0010F7962D00}20125224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021959Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:11.633{7E7FFDA1-3787-5FCE-0000-00106C952D00}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021960Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:11.633{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3787-5FCE-0000-00106C952D00}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021961Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:11.633{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3787-5FCE-0000-00106C952D00}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021962Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:11.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021963Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:11.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021964Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:11.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021965Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:11.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021966Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:11.633{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3787-5FCE-0000-00106C952D00}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000021956Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:08:19.726{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A47110B2-D436-47F8-BEA1-61CCEBF6C04E\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_A47110B2-D436-47F8-BEA1-61CCEBF6C04E.XML 13241300x800000000000000021957Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:08:19.726{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A47110B2-D436-47F8-BEA1-61CCEBF6C04E\Config SourceDWORD (0x00000001) 13241300x800000000000000021958Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:08:19.726{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9D191D6C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9D191D6C-0000-0000-0000-100000000000.XML 154100x800000000000000021948Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:16.493{7E7FFDA1-3750-5FCE-0000-001053872D00}1096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021949Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:16.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3750-5FCE-0000-001053872D00}1096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021950Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:16.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-3750-5FCE-0000-001053872D00}1096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021951Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:16.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021952Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:16.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021953Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:16.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021954Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:16.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021955Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:16.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3750-5FCE-0000-001053872D00}1096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021939Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:15.290{7E7FFDA1-374F-5FCE-0000-00108E852D00}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021940Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:15.289{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-374F-5FCE-0000-00108E852D00}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021941Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:15.289{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-374F-5FCE-0000-00108E852D00}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021942Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:15.289{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021943Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:15.289{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021944Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:15.289{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021945Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:15.289{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021946Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:15.289{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-374F-5FCE-0000-00108E852D00}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021947Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:15.430{7E7FFDA1-374F-5FCE-0000-00108E852D00}41246608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021930Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:14.618{7E7FFDA1-374E-5FCE-0000-001082832D00}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021931Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:14.617{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-374E-5FCE-0000-001082832D00}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021932Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:14.617{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-374E-5FCE-0000-001082832D00}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021933Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:14.617{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021934Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:14.617{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021935Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:14.617{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021936Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:14.617{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021937Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:14.617{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-374E-5FCE-0000-001082832D00}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021938Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:14.773{7E7FFDA1-374E-5FCE-0000-001082832D00}18564988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021913Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:13.383{7E7FFDA1-374D-5FCE-0000-001017802D00}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021914Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:13.383{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-374D-5FCE-0000-001017802D00}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021915Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:13.383{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-374D-5FCE-0000-001017802D00}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021916Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021917Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021918Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021919Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021920Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:13.383{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-374D-5FCE-0000-001017802D00}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021921Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:13.523{7E7FFDA1-374D-5FCE-0000-001017802D00}5292632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021922Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:13.946{7E7FFDA1-374D-5FCE-0000-0010C0812D00}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021923Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:13.945{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-374D-5FCE-0000-0010C0812D00}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021924Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:13.945{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-374D-5FCE-0000-0010C0812D00}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021925Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:13.945{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021926Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:13.945{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021927Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:13.945{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021928Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:13.945{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021929Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:13.945{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-374D-5FCE-0000-0010C0812D00}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021904Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:12.493{7E7FFDA1-374C-5FCE-0000-00104B7E2D00}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021905Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:12.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-374C-5FCE-0000-00104B7E2D00}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021906Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:12.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-374C-5FCE-0000-00104B7E2D00}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021907Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021908Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021909Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021910Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021911Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:12.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-374C-5FCE-0000-00104B7E2D00}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021912Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:12.633{7E7FFDA1-374C-5FCE-0000-00104B7E2D00}57442584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021896Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:11.618{7E7FFDA1-374B-5FCE-0000-0010A27C2D00}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021897Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:11.617{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-374B-5FCE-0000-0010A27C2D00}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021898Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:11.617{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-374B-5FCE-0000-0010A27C2D00}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021899Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:11.617{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021900Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:11.617{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021901Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:11.617{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021902Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:11.617{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021903Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:11.617{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-374B-5FCE-0000-0010A27C2D00}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021867Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021868Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021869Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021870Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021871Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021872Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021873Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021874Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021875Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021876Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021877Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021878Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021879Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021880Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021881Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021882Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021883Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021884Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021885Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021886Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021887Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021888Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021889Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021890Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021891Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021892Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021893Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021894Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021895Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021865Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:37.117{7E7FFDA1-18B1-5FCE-0000-001002BA0000}11521864C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021866Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:37.117{7E7FFDA1-18B1-5FCE-0000-001002BA0000}11521864C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021864Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:35.539{7E7FFDA1-18AF-5FCE-0000-001027540000}856904C:\Windows\system32\lsass.exe{7E7FFDA1-18AE-5FCE-0000-0010EB030000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 154100x800000000000000021856Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:16.477{7E7FFDA1-3714-5FCE-0000-0010706E2D00}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021857Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:16.477{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3714-5FCE-0000-0010706E2D00}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021858Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:16.477{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-3714-5FCE-0000-0010706E2D00}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021859Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:16.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021860Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:16.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021861Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:16.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021862Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:16.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021863Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:16.477{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3714-5FCE-0000-0010706E2D00}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021847Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:15.274{7E7FFDA1-3713-5FCE-0000-0010B16C2D00}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021848Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:15.273{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3713-5FCE-0000-0010B16C2D00}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021849Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:15.273{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3713-5FCE-0000-0010B16C2D00}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021850Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:15.273{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021851Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:15.273{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021852Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:15.273{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021853Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:15.273{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021854Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:15.273{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3713-5FCE-0000-0010B16C2D00}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021855Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:15.414{7E7FFDA1-3713-5FCE-0000-0010B16C2D00}44685068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021837Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:14.070{7E7FFDA1-3711-5FCE-0000-0010F0682D00}44646076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021838Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:14.602{7E7FFDA1-3712-5FCE-0000-0010A06A2D00}2768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021839Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:14.602{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3712-5FCE-0000-0010A06A2D00}2768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021840Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:14.602{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-3712-5FCE-0000-0010A06A2D00}2768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021841Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:14.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021842Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:14.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021843Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:14.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021844Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:14.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021845Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:14.602{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3712-5FCE-0000-0010A06A2D00}2768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021846Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:14.742{7E7FFDA1-3712-5FCE-0000-0010A06A2D00}27682852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021821Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:13.384{7E7FFDA1-3711-5FCE-0000-001024672D00}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021822Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:13.383{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3711-5FCE-0000-001024672D00}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021823Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:13.383{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3711-5FCE-0000-001024672D00}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021824Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021825Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021826Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021827Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021828Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:13.383{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3711-5FCE-0000-001024672D00}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021829Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:13.931{7E7FFDA1-3711-5FCE-0000-0010F0682D00}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021830Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:13.930{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3711-5FCE-0000-0010F0682D00}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021831Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:13.930{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3711-5FCE-0000-0010F0682D00}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021832Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:13.930{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021833Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:13.930{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021834Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:13.930{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021835Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:13.930{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021836Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:13.930{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3711-5FCE-0000-0010F0682D00}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021812Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:12.493{7E7FFDA1-3710-5FCE-0000-001078652D00}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021813Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:12.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3710-5FCE-0000-001078652D00}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021814Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:12.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3710-5FCE-0000-001078652D00}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021815Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021816Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021817Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021818Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021819Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:12.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3710-5FCE-0000-001078652D00}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021820Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:12.633{7E7FFDA1-3710-5FCE-0000-001078652D00}54766044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021804Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:11.602{7E7FFDA1-370F-5FCE-0000-0010CF632D00}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021805Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:11.602{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-370F-5FCE-0000-0010CF632D00}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021806Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:11.602{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-370F-5FCE-0000-0010CF632D00}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021807Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:11.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021808Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:11.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021809Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:11.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021810Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:11.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021811Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:11.602{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-370F-5FCE-0000-0010CF632D00}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021796Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:16.477{7E7FFDA1-36D8-5FCE-0000-0010D2572D00}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021797Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:16.477{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-36D8-5FCE-0000-0010D2572D00}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021798Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:16.477{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-36D8-5FCE-0000-0010D2572D00}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021799Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:16.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021800Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:16.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021801Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:16.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021802Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:16.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021803Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:16.477{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-36D8-5FCE-0000-0010D2572D00}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021787Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:15.088{7E7FFDA1-36D7-5FCE-0000-0010F5552D00}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021788Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:15.086{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-36D7-5FCE-0000-0010F5552D00}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021789Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:15.086{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-36D7-5FCE-0000-0010F5552D00}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021790Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:15.086{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021791Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:15.086{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021792Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:15.086{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021793Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:15.086{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021794Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:15.086{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-36D7-5FCE-0000-0010F5552D00}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021795Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:15.227{7E7FFDA1-36D7-5FCE-0000-0010F5552D00}68365484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021777Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:14.102{7E7FFDA1-36D5-5FCE-0000-001031522D00}25284492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021778Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:14.587{7E7FFDA1-36D6-5FCE-0000-0010E6532D00}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021779Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:14.586{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-36D6-5FCE-0000-0010E6532D00}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021780Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:14.586{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-36D6-5FCE-0000-0010E6532D00}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021781Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:14.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021782Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:14.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021783Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:14.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021784Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:14.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021785Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:14.586{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-36D6-5FCE-0000-0010E6532D00}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021786Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:14.727{7E7FFDA1-36D6-5FCE-0000-0010E6532D00}60925756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021761Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:13.384{7E7FFDA1-36D5-5FCE-0000-00107F502D00}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021762Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:13.383{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-36D5-5FCE-0000-00107F502D00}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021763Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:13.383{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-36D5-5FCE-0000-00107F502D00}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021764Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021765Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021766Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021767Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021768Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:13.383{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-36D5-5FCE-0000-00107F502D00}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021769Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:13.962{7E7FFDA1-36D5-5FCE-0000-001031522D00}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021770Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:13.961{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-36D5-5FCE-0000-001031522D00}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021771Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:13.961{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-36D5-5FCE-0000-001031522D00}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021772Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:13.961{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021773Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:13.961{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021774Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:13.961{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021775Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:13.961{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021776Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:13.961{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-36D5-5FCE-0000-001031522D00}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021752Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:12.509{7E7FFDA1-36D4-5FCE-0000-0010B24E2D00}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021753Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:12.508{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-36D4-5FCE-0000-0010B24E2D00}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021754Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:12.508{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-36D4-5FCE-0000-0010B24E2D00}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021755Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021756Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021757Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021758Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021759Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:12.508{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-36D4-5FCE-0000-0010B24E2D00}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021760Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:12.649{7E7FFDA1-36D4-5FCE-0000-0010B24E2D00}15725464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021744Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:11.587{7E7FFDA1-36D3-5FCE-0000-0010044D2D00}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021745Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:11.586{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-36D3-5FCE-0000-0010044D2D00}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021746Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:11.586{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-36D3-5FCE-0000-0010044D2D00}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021747Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:11.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021748Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:11.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021749Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:11.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021750Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:11.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021751Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:11.586{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-36D3-5FCE-0000-0010044D2D00}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000021734Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:05:58.399{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6ccaa-0x77cb8f6a) 13241300x800000000000000021735Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:05:58.399{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6cca2-0x1607276a) 13241300x800000000000000021736Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:05:58.399{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6cc99-0xb442bf6a) 13241300x800000000000000021737Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:05:58.399{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0075a00f) 13241300x800000000000000021738Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:05:58.399{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000021739Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:05:58.399{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6ccaa-0x77cb8f6a) 13241300x800000000000000021740Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:05:58.399{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6cca2-0x1607276a) 13241300x800000000000000021741Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:05:58.399{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6cc99-0xb442bf6a) 13241300x800000000000000021742Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:05:58.399{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0075a00f) 13241300x800000000000000021743Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:05:58.399{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 10341000x800000000000000021705Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021706Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021707Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021708Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021709Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021710Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021711Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021712Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021713Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021714Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021715Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021716Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021717Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021718Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021719Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021720Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021721Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021722Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021723Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021724Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021725Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021726Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021727Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021728Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021729Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021730Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021731Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021732Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021733Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021704Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:39.977{7E7FFDA1-18AF-5FCE-0000-001027540000}856904C:\Windows\system32\lsass.exe{7E7FFDA1-18AE-5FCE-0000-0010EB030000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000021701Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:37.430{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021702Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:37.430{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021703Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:37.430{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021700Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:20.961{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}6125808C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010B6BF0200}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021692Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:16.477{7E7FFDA1-369C-5FCE-0000-00102F3B2D00}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021693Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:16.477{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-369C-5FCE-0000-00102F3B2D00}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021694Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:16.477{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-369C-5FCE-0000-00102F3B2D00}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021695Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:16.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021696Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:16.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021697Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:16.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021698Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:16.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021699Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:16.477{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-369C-5FCE-0000-00102F3B2D00}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021683Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:15.228{7E7FFDA1-369B-5FCE-0000-0010FC382D00}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021684Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:15.227{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-369B-5FCE-0000-0010FC382D00}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021685Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:15.227{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-369B-5FCE-0000-0010FC382D00}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021686Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:15.227{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021687Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:15.227{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021688Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:15.227{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021689Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:15.227{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021690Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:15.227{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-369B-5FCE-0000-0010FC382D00}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021691Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:15.367{7E7FFDA1-369B-5FCE-0000-0010FC382D00}60804856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021665Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:14.056{7E7FFDA1-369A-5FCE-0000-0010A3352D00}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021666Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:14.055{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-369A-5FCE-0000-0010A3352D00}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021667Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:14.055{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-369A-5FCE-0000-0010A3352D00}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021668Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021669Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021670Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021671Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021672Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:14.055{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-369A-5FCE-0000-0010A3352D00}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021673Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:14.195{7E7FFDA1-369A-5FCE-0000-0010A3352D00}66922028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021674Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:14.727{7E7FFDA1-369A-5FCE-0000-001057372D00}6548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021675Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:14.727{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-369A-5FCE-0000-001057372D00}6548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021676Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:14.727{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-369A-5FCE-0000-001057372D00}6548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021677Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:14.727{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021678Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:14.727{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021679Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:14.727{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021680Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:14.727{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021681Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:14.727{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-369A-5FCE-0000-001057372D00}6548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021682Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:14.867{7E7FFDA1-369A-5FCE-0000-001057372D00}65486284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021657Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:13.384{7E7FFDA1-3699-5FCE-0000-0010D5332D00}5204C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021658Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:13.383{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3699-5FCE-0000-0010D5332D00}5204C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021659Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:13.383{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3699-5FCE-0000-0010D5332D00}5204C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021660Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021661Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021662Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021663Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021664Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:13.383{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3699-5FCE-0000-0010D5332D00}5204C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021648Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:12.493{7E7FFDA1-3698-5FCE-0000-00100A322D00}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021649Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:12.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3698-5FCE-0000-00100A322D00}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021650Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:12.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3698-5FCE-0000-00100A322D00}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021651Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021652Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021653Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021654Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021655Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:12.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3698-5FCE-0000-00100A322D00}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021656Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:12.633{7E7FFDA1-3698-5FCE-0000-00100A322D00}19763856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021640Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:11.571{7E7FFDA1-3697-5FCE-0000-001056302D00}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021641Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:11.571{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3697-5FCE-0000-001056302D00}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021642Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:11.571{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3697-5FCE-0000-001056302D00}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021643Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:11.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021644Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:11.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021645Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:11.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021646Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:11.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021647Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:11.571{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3697-5FCE-0000-001056302D00}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021632Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:16.478{7E7FFDA1-3660-5FCE-0000-0010B9232D00}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021633Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:16.477{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3660-5FCE-0000-0010B9232D00}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021634Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:16.477{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-3660-5FCE-0000-0010B9232D00}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021635Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:16.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021636Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:16.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021637Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:16.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021638Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:16.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021639Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:16.477{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3660-5FCE-0000-0010B9232D00}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021623Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:15.228{7E7FFDA1-365F-5FCE-0000-00108B212D00}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021624Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:15.227{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-365F-5FCE-0000-00108B212D00}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021625Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:15.227{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-365F-5FCE-0000-00108B212D00}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021626Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:15.227{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021627Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:15.227{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021628Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:15.227{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021629Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:15.227{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021630Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:15.227{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-365F-5FCE-0000-00108B212D00}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021631Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:15.367{7E7FFDA1-365F-5FCE-0000-00108B212D00}19165188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021605Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:14.056{7E7FFDA1-365E-5FCE-0000-0010381E2D00}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021606Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:14.055{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-365E-5FCE-0000-0010381E2D00}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021607Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:14.055{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-365E-5FCE-0000-0010381E2D00}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021608Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021609Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021610Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021611Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021612Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:14.055{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-365E-5FCE-0000-0010381E2D00}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021613Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:14.196{7E7FFDA1-365E-5FCE-0000-0010381E2D00}12401056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021614Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:14.728{7E7FFDA1-365E-5FCE-0000-0010EA1F2D00}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021615Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:14.727{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-365E-5FCE-0000-0010EA1F2D00}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021616Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:14.727{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-365E-5FCE-0000-0010EA1F2D00}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021617Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:14.727{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021618Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:14.727{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021619Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:14.727{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021620Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:14.727{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021621Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:14.727{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-365E-5FCE-0000-0010EA1F2D00}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021622Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:14.867{7E7FFDA1-365E-5FCE-0000-0010EA1F2D00}9846952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021597Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:13.384{7E7FFDA1-365D-5FCE-0000-0010651C2D00}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021598Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:13.383{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-365D-5FCE-0000-0010651C2D00}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021599Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:13.383{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-365D-5FCE-0000-0010651C2D00}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021600Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021601Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021602Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021603Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021604Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:13.383{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-365D-5FCE-0000-0010651C2D00}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021588Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:12.493{7E7FFDA1-365C-5FCE-0000-0010A01A2D00}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021589Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:12.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-365C-5FCE-0000-0010A01A2D00}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021590Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:12.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-365C-5FCE-0000-0010A01A2D00}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021591Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021592Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021593Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021594Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021595Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:12.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-365C-5FCE-0000-0010A01A2D00}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021596Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:12.633{7E7FFDA1-365C-5FCE-0000-0010A01A2D00}53846688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021580Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:11.571{7E7FFDA1-365B-5FCE-0000-001011192D00}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021581Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:11.571{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-365B-5FCE-0000-001011192D00}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021582Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:11.571{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-365B-5FCE-0000-001011192D00}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021583Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:11.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021584Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:11.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021585Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:11.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021586Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:11.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021587Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:11.571{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-365B-5FCE-0000-001011192D00}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021551Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021552Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021553Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021554Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021555Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021556Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021557Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021558Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021559Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021560Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021561Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021562Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021563Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021564Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021565Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021566Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021567Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021568Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021569Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021570Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021571Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021572Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021573Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021574Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021575Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021576Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021577Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021578Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021579Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000021548Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:03:19.289{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A47110B2-D436-47F8-BEA1-61CCEBF6C04E\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_A47110B2-D436-47F8-BEA1-61CCEBF6C04E.XML 13241300x800000000000000021549Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:03:19.289{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A47110B2-D436-47F8-BEA1-61CCEBF6C04E\Config SourceDWORD (0x00000001) 13241300x800000000000000021550Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:03:19.305{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9D191D6C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9D191D6C-0000-0000-0000-100000000000.XML 154100x800000000000000021540Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:16.463{7E7FFDA1-3624-5FCE-0000-0010830A2D00}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021541Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:16.461{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3624-5FCE-0000-0010830A2D00}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021542Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:16.461{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3624-5FCE-0000-0010830A2D00}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021543Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:16.461{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021544Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:16.461{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021545Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:16.461{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021546Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:16.461{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021547Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:16.461{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3624-5FCE-0000-0010830A2D00}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021531Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:15.228{7E7FFDA1-3623-5FCE-0000-00109E082D00}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021532Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:15.227{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3623-5FCE-0000-00109E082D00}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021533Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:15.227{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3623-5FCE-0000-00109E082D00}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021534Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:15.227{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021535Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:15.227{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021536Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:15.227{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021537Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:15.227{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021538Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:15.227{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3623-5FCE-0000-00109E082D00}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021539Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:15.368{7E7FFDA1-3623-5FCE-0000-00109E082D00}6740108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021513Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:14.056{7E7FFDA1-3622-5FCE-0000-0010E7042D00}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021514Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:14.055{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3622-5FCE-0000-0010E7042D00}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021515Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:14.055{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-3622-5FCE-0000-0010E7042D00}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021516Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021517Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021518Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021519Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021520Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:14.055{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3622-5FCE-0000-0010E7042D00}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021521Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:14.196{7E7FFDA1-3622-5FCE-0000-0010E7042D00}67922572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021522Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:14.572{7E7FFDA1-3622-5FCE-0000-001093062D00}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021523Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:14.571{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3622-5FCE-0000-001093062D00}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021524Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:14.571{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3622-5FCE-0000-001093062D00}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021525Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:14.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021526Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:14.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021527Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:14.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021528Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:14.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021529Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:14.571{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3622-5FCE-0000-001093062D00}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021530Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:14.711{7E7FFDA1-3622-5FCE-0000-001093062D00}67084444C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021505Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:13.384{7E7FFDA1-3621-5FCE-0000-001011032D00}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021506Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:13.383{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3621-5FCE-0000-001011032D00}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021507Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:13.383{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3621-5FCE-0000-001011032D00}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021508Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021509Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021510Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021511Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021512Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:13.383{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3621-5FCE-0000-001011032D00}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021496Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:12.493{7E7FFDA1-3620-5FCE-0000-001062012D00}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021497Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:12.493{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3620-5FCE-0000-001062012D00}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021498Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:12.493{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3620-5FCE-0000-001062012D00}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021499Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021500Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021501Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021502Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021503Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:12.493{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3620-5FCE-0000-001062012D00}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021504Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:12.633{7E7FFDA1-3620-5FCE-0000-001062012D00}62644544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021488Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:11.556{7E7FFDA1-361F-5FCE-0000-0010B6FF2C00}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021489Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:11.555{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-361F-5FCE-0000-0010B6FF2C00}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021490Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:11.555{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-361F-5FCE-0000-0010B6FF2C00}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021491Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:11.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021492Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:11.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021493Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:11.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021494Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:11.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021495Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:11.555{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-361F-5FCE-0000-0010B6FF2C00}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021480Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:16.509{7E7FFDA1-35E8-5FCE-0000-00106CE32C00}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021481Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:16.508{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-35E8-5FCE-0000-00106CE32C00}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021482Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:16.508{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-35E8-5FCE-0000-00106CE32C00}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021483Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:16.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021484Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:16.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021485Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:16.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021486Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:16.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021487Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:16.508{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-35E8-5FCE-0000-00106CE32C00}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021471Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:15.369{7E7FFDA1-35E7-5FCE-0000-0010A3E12C00}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021472Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:15.368{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-35E7-5FCE-0000-0010A3E12C00}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021473Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:15.368{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-35E7-5FCE-0000-0010A3E12C00}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021474Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:15.368{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021475Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:15.368{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021476Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:15.368{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021477Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:15.368{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021478Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:15.368{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-35E7-5FCE-0000-0010A3E12C00}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021479Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:15.508{7E7FFDA1-35E7-5FCE-0000-0010A3E12C00}68725836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021454Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:14.056{7E7FFDA1-35E6-5FCE-0000-0010DFDD2C00}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021455Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:14.055{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-35E6-5FCE-0000-0010DFDD2C00}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021456Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:14.055{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-35E6-5FCE-0000-0010DFDD2C00}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021457Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021458Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021459Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021460Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021461Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:14.055{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-35E6-5FCE-0000-0010DFDD2C00}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021462Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:14.728{7E7FFDA1-35E6-5FCE-0000-00107CDF2C00}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021463Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:14.727{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-35E6-5FCE-0000-00107CDF2C00}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021464Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:14.727{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-35E6-5FCE-0000-00107CDF2C00}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021465Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:14.727{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021466Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:14.727{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021467Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:14.727{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021468Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:14.727{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021469Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:14.727{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-35E6-5FCE-0000-00107CDF2C00}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021470Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:14.868{7E7FFDA1-35E6-5FCE-0000-00107CDF2C00}53324344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021445Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:13.384{7E7FFDA1-35E5-5FCE-0000-00101BDC2C00}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021446Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:13.383{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-35E5-5FCE-0000-00101BDC2C00}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021447Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:13.383{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-35E5-5FCE-0000-00101BDC2C00}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021448Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021449Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021450Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021451Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021452Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:13.383{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-35E5-5FCE-0000-00101BDC2C00}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021453Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:13.524{7E7FFDA1-35E5-5FCE-0000-00101BDC2C00}67004956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021436Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:12.478{7E7FFDA1-35E4-5FCE-0000-00104FDA2C00}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021437Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:12.477{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-35E4-5FCE-0000-00104FDA2C00}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021438Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:12.477{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-35E4-5FCE-0000-00104FDA2C00}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021439Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:12.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021440Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:12.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021441Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:12.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021442Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:12.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021443Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:12.477{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-35E4-5FCE-0000-00104FDA2C00}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021444Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:12.618{7E7FFDA1-35E4-5FCE-0000-00104FDA2C00}58205440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021428Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:11.556{7E7FFDA1-35E3-5FCE-0000-00109ED82C00}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021429Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:11.555{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-35E3-5FCE-0000-00109ED82C00}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021430Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:11.555{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-35E3-5FCE-0000-00109ED82C00}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021431Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:11.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021432Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:11.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021433Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:11.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021434Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:11.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021435Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:11.555{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-35E3-5FCE-0000-00109ED82C00}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021427Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:40.727{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}6125808C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-001002BA0000}1152C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021419Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:16.509{7E7FFDA1-35AC-5FCE-0000-001052CC2C00}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021420Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:16.508{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-35AC-5FCE-0000-001052CC2C00}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021421Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:16.508{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-35AC-5FCE-0000-001052CC2C00}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021422Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:16.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021423Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:16.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021424Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:16.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021425Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:16.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021426Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:16.508{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-35AC-5FCE-0000-001052CC2C00}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021410Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:15.400{7E7FFDA1-35AB-5FCE-0000-0010A5CA2C00}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021411Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:15.399{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-35AB-5FCE-0000-0010A5CA2C00}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021412Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:15.399{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-35AB-5FCE-0000-0010A5CA2C00}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021413Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:15.399{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021414Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:15.399{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021415Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:15.399{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021416Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:15.399{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021417Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:15.399{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-35AB-5FCE-0000-0010A5CA2C00}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021418Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:15.540{7E7FFDA1-35AB-5FCE-0000-0010A5CA2C00}59401912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021393Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:14.056{7E7FFDA1-35AA-5FCE-0000-00104EC62C00}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021394Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:14.055{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-35AA-5FCE-0000-00104EC62C00}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021395Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:14.055{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-35AA-5FCE-0000-00104EC62C00}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021396Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021397Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021398Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021399Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021400Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:14.055{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-35AA-5FCE-0000-00104EC62C00}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021401Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:14.728{7E7FFDA1-35AA-5FCE-0000-001098C82C00}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021402Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:14.727{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-35AA-5FCE-0000-001098C82C00}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021403Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:14.727{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-35AA-5FCE-0000-001098C82C00}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021404Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:14.727{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021405Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:14.727{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021406Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:14.727{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021407Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:14.727{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021408Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:14.727{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-35AA-5FCE-0000-001098C82C00}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021409Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:14.868{7E7FFDA1-35AA-5FCE-0000-001098C82C00}20081472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021384Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:13.384{7E7FFDA1-35A9-5FCE-0000-00108DC42C00}1392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021385Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:13.383{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-35A9-5FCE-0000-00108DC42C00}1392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021386Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:13.383{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-35A9-5FCE-0000-00108DC42C00}1392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021387Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021388Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021389Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021390Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021391Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:13.383{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-35A9-5FCE-0000-00108DC42C00}1392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021392Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:13.524{7E7FFDA1-35A9-5FCE-0000-00108DC42C00}13921448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021375Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:12.478{7E7FFDA1-35A8-5FCE-0000-0010C7C22C00}628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021376Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:12.477{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-35A8-5FCE-0000-0010C7C22C00}628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021377Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:12.477{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-35A8-5FCE-0000-0010C7C22C00}628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021378Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:12.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021379Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:12.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021380Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:12.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021381Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:12.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021382Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:12.477{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-35A8-5FCE-0000-0010C7C22C00}628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021383Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:12.618{7E7FFDA1-35A8-5FCE-0000-0010C7C22C00}6286372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021367Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:11.556{7E7FFDA1-35A7-5FCE-0000-001012C12C00}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021368Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:11.555{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-35A7-5FCE-0000-001012C12C00}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021369Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:11.555{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-35A7-5FCE-0000-001012C12C00}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021370Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:11.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021371Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:11.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021372Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:11.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021373Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:11.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021374Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:11.555{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-35A7-5FCE-0000-001012C12C00}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000021357Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:00:58.383{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6cca9-0xc4f8c06a) 13241300x800000000000000021358Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:00:58.383{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6cca1-0x6334586a) 13241300x800000000000000021359Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:00:58.383{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6cc99-0x016ff06a) 13241300x800000000000000021360Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:00:58.383{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00710c1f) 13241300x800000000000000021361Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:00:58.383{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000021362Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:00:58.383{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6cca9-0xc4f8c06a) 13241300x800000000000000021363Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:00:58.383{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6cca1-0x6334586a) 13241300x800000000000000021364Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:00:58.383{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6cc99-0x016ff06a) 13241300x800000000000000021365Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:00:58.383{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00710c1f) 13241300x800000000000000021366Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:00:58.383{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 10341000x800000000000000021356Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:39.837{7E7FFDA1-18AF-5FCE-0000-001027540000}8566336C:\Windows\system32\lsass.exe{7E7FFDA1-18AE-5FCE-0000-0010EB030000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000021353Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:37.415{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021354Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:37.415{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021355Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:37.415{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021345Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:16.509{7E7FFDA1-3570-5FCE-0000-0010CFAE2C00}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021346Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:16.508{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3570-5FCE-0000-0010CFAE2C00}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021347Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:16.508{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3570-5FCE-0000-0010CFAE2C00}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021348Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:16.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021349Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:16.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021350Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:16.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021351Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:16.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021352Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:16.508{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3570-5FCE-0000-0010CFAE2C00}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021336Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:15.353{7E7FFDA1-356F-5FCE-0000-0010EBAC2C00}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021337Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:15.352{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-356F-5FCE-0000-0010EBAC2C00}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021338Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:15.352{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-356F-5FCE-0000-0010EBAC2C00}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021339Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:15.352{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021340Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:15.352{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021341Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:15.352{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021342Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:15.352{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021343Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:15.352{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-356F-5FCE-0000-0010EBAC2C00}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021344Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:15.493{7E7FFDA1-356F-5FCE-0000-0010EBAC2C00}28445424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021319Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:14.056{7E7FFDA1-356E-5FCE-0000-001021A92C00}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021320Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:14.055{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-356E-5FCE-0000-001021A92C00}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021321Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:14.055{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-356E-5FCE-0000-001021A92C00}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021322Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021323Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021324Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021325Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021326Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:14.055{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-356E-5FCE-0000-001021A92C00}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021327Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:14.697{7E7FFDA1-356E-5FCE-0000-0010F1AA2C00}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021328Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:14.696{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-356E-5FCE-0000-0010F1AA2C00}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021329Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:14.696{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-356E-5FCE-0000-0010F1AA2C00}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021330Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:14.696{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021331Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:14.696{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021332Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:14.696{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021333Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:14.696{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021334Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:14.696{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-356E-5FCE-0000-0010F1AA2C00}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021335Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:14.837{7E7FFDA1-356E-5FCE-0000-0010F1AA2C00}68521864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021310Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:13.384{7E7FFDA1-356D-5FCE-0000-00108FA72C00}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021311Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:13.383{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-356D-5FCE-0000-00108FA72C00}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021312Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:13.383{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-356D-5FCE-0000-00108FA72C00}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021313Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021314Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021315Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021316Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021317Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:13.383{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-356D-5FCE-0000-00108FA72C00}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021318Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:13.524{7E7FFDA1-356D-5FCE-0000-00108FA72C00}69924996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021301Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:12.478{7E7FFDA1-356C-5FCE-0000-0010CDA52C00}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021302Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:12.477{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-356C-5FCE-0000-0010CDA52C00}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021303Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:12.477{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-356C-5FCE-0000-0010CDA52C00}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021304Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:12.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021305Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:12.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021306Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:12.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021307Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:12.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021308Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:12.477{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-356C-5FCE-0000-0010CDA52C00}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021309Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:12.618{7E7FFDA1-356C-5FCE-0000-0010CDA52C00}69284388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021293Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:11.556{7E7FFDA1-356B-5FCE-0000-001014A42C00}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021294Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:11.555{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-356B-5FCE-0000-001014A42C00}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021295Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:11.555{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-356B-5FCE-0000-001014A42C00}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021296Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:11.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021297Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:11.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021298Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:11.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021299Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:11.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021300Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:11.555{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-356B-5FCE-0000-001014A42C00}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021264Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021265Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021266Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021267Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021268Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021269Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021270Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021271Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021272Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021273Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021274Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021275Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021276Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021277Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021278Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021279Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021280Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021281Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021282Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021283Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021284Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021285Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021286Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021287Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021288Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021289Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021290Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021291Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021292Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021256Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:16.509{7E7FFDA1-3534-5FCE-0000-0010B1962C00}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021257Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:16.509{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3534-5FCE-0000-0010B1962C00}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021258Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:16.509{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3534-5FCE-0000-0010B1962C00}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021259Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:16.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021260Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:16.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021261Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:16.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021262Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:16.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021263Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:16.509{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3534-5FCE-0000-0010B1962C00}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021246Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:14.993{7E7FFDA1-3532-5FCE-0000-0010BC922C00}68086824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021247Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:15.353{7E7FFDA1-3533-5FCE-0000-0010F2942C00}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021248Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:15.352{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3533-5FCE-0000-0010F2942C00}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021249Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:15.352{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3533-5FCE-0000-0010F2942C00}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021250Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:15.352{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021251Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:15.352{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021252Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:15.352{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021253Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:15.352{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021254Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:15.352{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3533-5FCE-0000-0010F2942C00}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021255Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:15.493{7E7FFDA1-3533-5FCE-0000-0010F2942C00}59804400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021229Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:14.181{7E7FFDA1-3532-5FCE-0000-001013912C00}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021230Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:14.180{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3532-5FCE-0000-001013912C00}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021231Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:14.180{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3532-5FCE-0000-001013912C00}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021232Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:14.180{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021233Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:14.180{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021234Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:14.180{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021235Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:14.180{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021236Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:14.180{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3532-5FCE-0000-001013912C00}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021237Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:14.321{7E7FFDA1-3532-5FCE-0000-001013912C00}24766948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021238Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:14.853{7E7FFDA1-3532-5FCE-0000-0010BC922C00}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021239Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:14.852{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3532-5FCE-0000-0010BC922C00}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021240Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:14.852{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3532-5FCE-0000-0010BC922C00}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021241Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:14.852{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021242Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:14.852{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021243Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:14.852{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021244Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:14.852{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021245Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:14.852{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3532-5FCE-0000-0010BC922C00}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021221Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:13.509{7E7FFDA1-3531-5FCE-0000-0010638F2C00}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021222Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:13.509{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3531-5FCE-0000-0010638F2C00}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021223Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:13.509{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3531-5FCE-0000-0010638F2C00}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021224Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:13.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021225Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:13.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021226Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:13.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021227Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:13.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021228Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:13.509{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3531-5FCE-0000-0010638F2C00}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021212Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:12.462{7E7FFDA1-3530-5FCE-0000-0010968D2C00}4976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021213Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:12.462{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3530-5FCE-0000-0010968D2C00}4976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021214Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:12.462{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3530-5FCE-0000-0010968D2C00}4976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021215Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:12.462{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021216Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:12.462{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021217Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:12.462{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021218Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:12.462{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021219Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:12.462{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3530-5FCE-0000-0010968D2C00}4976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021220Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:12.602{7E7FFDA1-3530-5FCE-0000-0010968D2C00}49761104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021204Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:11.556{7E7FFDA1-352F-5FCE-0000-0010E68B2C00}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021205Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:11.555{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-352F-5FCE-0000-0010E68B2C00}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021206Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:11.555{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-352F-5FCE-0000-0010E68B2C00}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021207Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:11.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021208Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:11.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021209Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:11.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021210Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:11.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021211Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:11.555{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-352F-5FCE-0000-0010E68B2C00}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000021201Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:58:18.704{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A47110B2-D436-47F8-BEA1-61CCEBF6C04E\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_A47110B2-D436-47F8-BEA1-61CCEBF6C04E.XML 13241300x800000000000000021202Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:58:18.704{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A47110B2-D436-47F8-BEA1-61CCEBF6C04E\Config SourceDWORD (0x00000001) 13241300x800000000000000021203Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:58:18.704{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9D191D6C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9D191D6C-0000-0000-0000-100000000000.XML 154100x800000000000000021193Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:16.509{7E7FFDA1-34F8-5FCE-0000-0010257D2C00}5540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021194Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:16.509{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-34F8-5FCE-0000-0010257D2C00}5540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021195Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:16.509{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-34F8-5FCE-0000-0010257D2C00}5540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021196Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:16.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021197Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:16.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021198Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:16.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021199Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:16.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021200Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:16.509{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-34F8-5FCE-0000-0010257D2C00}5540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021183Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:15.009{7E7FFDA1-34F6-5FCE-0000-001049792C00}60525212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021184Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:15.353{7E7FFDA1-34F7-5FCE-0000-0010637B2C00}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021185Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:15.352{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-34F7-5FCE-0000-0010637B2C00}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021186Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:15.352{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-34F7-5FCE-0000-0010637B2C00}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021187Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:15.352{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021188Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:15.352{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021189Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:15.352{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021190Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:15.352{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021191Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:15.352{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-34F7-5FCE-0000-0010637B2C00}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021192Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:15.493{7E7FFDA1-34F7-5FCE-0000-0010637B2C00}24923032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021166Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:14.181{7E7FFDA1-34F6-5FCE-0000-0010AA772C00}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021167Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:14.181{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-34F6-5FCE-0000-0010AA772C00}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021168Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:14.181{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-34F6-5FCE-0000-0010AA772C00}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021169Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:14.181{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021170Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:14.181{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021171Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:14.181{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021172Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:14.181{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021173Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:14.181{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-34F6-5FCE-0000-0010AA772C00}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021174Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:14.321{7E7FFDA1-34F6-5FCE-0000-0010AA772C00}11165304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021175Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:14.853{7E7FFDA1-34F6-5FCE-0000-001049792C00}6052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021176Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:14.852{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-34F6-5FCE-0000-001049792C00}6052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021177Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:14.852{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-34F6-5FCE-0000-001049792C00}6052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021178Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:14.852{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021179Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:14.852{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021180Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:14.852{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021181Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:14.852{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021182Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:14.852{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-34F6-5FCE-0000-001049792C00}6052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021158Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:13.509{7E7FFDA1-34F5-5FCE-0000-0010EF752C00}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021159Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:13.509{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-34F5-5FCE-0000-0010EF752C00}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021160Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:13.509{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-34F5-5FCE-0000-0010EF752C00}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021161Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:13.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021162Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:13.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021163Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:13.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021164Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:13.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021165Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:13.509{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-34F5-5FCE-0000-0010EF752C00}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021149Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:12.447{7E7FFDA1-34F4-5FCE-0000-001023742C00}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021150Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:12.446{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-34F4-5FCE-0000-001023742C00}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021151Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:12.446{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-34F4-5FCE-0000-001023742C00}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021152Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:12.446{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021153Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:12.446{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021154Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:12.446{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021155Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:12.446{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021156Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:12.446{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-34F4-5FCE-0000-001023742C00}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021157Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:12.587{7E7FFDA1-34F4-5FCE-0000-001023742C00}13005224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021141Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:11.541{7E7FFDA1-34F3-5FCE-0000-00106C722C00}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021142Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:11.540{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-34F3-5FCE-0000-00106C722C00}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021143Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:11.540{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-34F3-5FCE-0000-00106C722C00}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021144Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:11.540{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021145Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:11.540{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021146Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:11.540{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021147Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:11.540{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021148Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:11.540{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-34F3-5FCE-0000-00106C722C00}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021112Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021113Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021114Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021115Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021116Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021117Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021118Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021119Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021120Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021121Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021122Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021123Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021124Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021125Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021126Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021127Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021128Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021129Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021130Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021131Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021132Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021133Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021134Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021135Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021136Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021137Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021138Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021139Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021140Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000021098Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:39.384{7E7FFDA1-18B1-5FCE-0000-00104CD50000}1368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\RegisteredSinceBootDWORD (0x00000001) 10341000x800000000000000021099Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:39.384{7E7FFDA1-18AF-5FCE-0000-001027540000}8566336C:\Windows\system32\lsass.exe{7E7FFDA1-18B1-5FCE-0000-00104CD50000}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31375|C:\Windows\system32\lsasrv.dll+2f20b|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x800000000000000021100Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:39.384{7E7FFDA1-18B1-5FCE-0000-00104CD50000}1368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\Hostnamewin-dc-633 13241300x800000000000000021101Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:39.384{7E7FFDA1-18B1-5FCE-0000-00104CD50000}1368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\AdapterDomainName(Empty) 13241300x800000000000000021102Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:39.384{7E7FFDA1-18B1-5FCE-0000-00104CD50000}1368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\PrimaryDomainNameattackrange.local 13241300x800000000000000021103Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:39.384{7E7FFDA1-18B1-5FCE-0000-00104CD50000}1368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\HostAddrsBinary Data 13241300x800000000000000021104Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:39.384{7E7FFDA1-18B1-5FCE-0000-00104CD50000}1368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\DnsServersBinary Data 13241300x800000000000000021105Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:39.384{7E7FFDA1-18B1-5FCE-0000-00104CD50000}1368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\SentUpdateToIpBinary Data 13241300x800000000000000021106Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:39.384{7E7FFDA1-18B1-5FCE-0000-00104CD50000}1368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\SentPriUpdateToIpBinary Data 13241300x800000000000000021107Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:39.384{7E7FFDA1-18B1-5FCE-0000-00104CD50000}1368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\TtlDWORD (0x000004b0) 13241300x800000000000000021108Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:39.384{7E7FFDA1-18B1-5FCE-0000-00104CD50000}1368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\FlagsDWORD (0x00000002) 13241300x800000000000000021109Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:39.384{7E7FFDA1-18B1-5FCE-0000-00104CD50000}1368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\CompartmentIdDWORD (0x00000001) 13241300x800000000000000021110Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:39.384{7E7FFDA1-18B1-5FCE-0000-00104CD50000}1368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\StaleAdapterDWORD (0x00000000) 13241300x800000000000000021111Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:39.384{7E7FFDA1-18B1-5FCE-0000-00104CD50000}1368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\RegisteredSinceBootDWORD (0x00000001) 10341000x800000000000000021084Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:37.118{7E7FFDA1-18B1-5FCE-0000-001002BA0000}1152844C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021085Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:37.118{7E7FFDA1-18B1-5FCE-0000-001002BA0000}1152844C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000021086Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:37.352{7E7FFDA1-18B1-5FCE-0000-001014C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpInterfaceOptionsBinary Data 13241300x800000000000000021087Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:37.352{7E7FFDA1-18B1-5FCE-0000-001014C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpIPAddress10.0.1.14 13241300x800000000000000021088Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:37.352{7E7FFDA1-18B1-5FCE-0000-001014C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpSubnetMask255.255.255.0 13241300x800000000000000021089Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:37.352{7E7FFDA1-18B1-5FCE-0000-001014C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpServer10.0.1.1 13241300x800000000000000021090Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:37.352{7E7FFDA1-18B1-5FCE-0000-001014C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\LeaseDWORD (0x00000e10) 13241300x800000000000000021091Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:37.352{7E7FFDA1-18B1-5FCE-0000-001014C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\LeaseObtainedTimeDWORD (0x5fce34d1) 13241300x800000000000000021092Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:37.352{7E7FFDA1-18B1-5FCE-0000-001014C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\T1DWORD (0x5fce3bd9) 13241300x800000000000000021093Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:37.352{7E7FFDA1-18B1-5FCE-0000-001014C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\T2DWORD (0x5fce411f) 13241300x800000000000000021094Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:37.352{7E7FFDA1-18B1-5FCE-0000-001014C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\LeaseTerminatesTimeDWORD (0x5fce42e1) 13241300x800000000000000021095Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:37.352{7E7FFDA1-18B1-5FCE-0000-001014C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\AddressTypeDWORD (0x00000000) 13241300x800000000000000021096Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:37.352{7E7FFDA1-18B1-5FCE-0000-001014C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\IsServerNapAwareDWORD (0x00000000) 13241300x800000000000000021097Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:37.352{7E7FFDA1-18B1-5FCE-0000-001014C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 10341000x800000000000000021083Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:35.524{7E7FFDA1-18AF-5FCE-0000-001027540000}8566336C:\Windows\system32\lsass.exe{7E7FFDA1-18AE-5FCE-0000-0010EB030000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 154100x800000000000000021075Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:16.494{7E7FFDA1-34BC-5FCE-0000-00101B5F2C00}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021076Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:16.493{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-34BC-5FCE-0000-00101B5F2C00}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021077Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:16.493{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-34BC-5FCE-0000-00101B5F2C00}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021078Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:16.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021079Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:16.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021080Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:16.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021081Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:16.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021082Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:16.493{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-34BC-5FCE-0000-00101B5F2C00}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021066Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:15.337{7E7FFDA1-34BB-5FCE-0000-0010435D2C00}6188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021067Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:15.337{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-34BB-5FCE-0000-0010435D2C00}6188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021068Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:15.337{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-34BB-5FCE-0000-0010435D2C00}6188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021069Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:15.337{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021070Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:15.337{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021071Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:15.337{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021072Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:15.337{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021073Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:15.337{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-34BB-5FCE-0000-0010435D2C00}6188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021074Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:15.477{7E7FFDA1-34BB-5FCE-0000-0010435D2C00}61885036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021048Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:14.165{7E7FFDA1-34BA-5FCE-0000-00108C592C00}4968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021049Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:14.165{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-34BA-5FCE-0000-00108C592C00}4968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021050Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:14.165{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-34BA-5FCE-0000-00108C592C00}4968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021051Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:14.165{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021052Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:14.165{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021053Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:14.165{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021054Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:14.165{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021055Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:14.165{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-34BA-5FCE-0000-00108C592C00}4968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021056Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:14.305{7E7FFDA1-34BA-5FCE-0000-00108C592C00}49685744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021057Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:14.837{7E7FFDA1-34BA-5FCE-0000-0010385B2C00}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021058Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:14.837{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-34BA-5FCE-0000-0010385B2C00}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021059Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:14.837{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-34BA-5FCE-0000-0010385B2C00}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021060Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:14.837{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021061Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:14.837{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021062Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:14.837{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021063Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:14.837{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021064Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:14.837{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-34BA-5FCE-0000-0010385B2C00}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021065Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:14.977{7E7FFDA1-34BA-5FCE-0000-0010385B2C00}65887144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021040Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:13.494{7E7FFDA1-34B9-5FCE-0000-0010DE572C00}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021041Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:13.493{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-34B9-5FCE-0000-0010DE572C00}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021042Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:13.493{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-34B9-5FCE-0000-0010DE572C00}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021043Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:13.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021044Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:13.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021045Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:13.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021046Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:13.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021047Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:13.493{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-34B9-5FCE-0000-0010DE572C00}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021031Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:12.493{7E7FFDA1-34B8-5FCE-0000-001012562C00}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021032Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:12.493{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-34B8-5FCE-0000-001012562C00}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021033Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:12.493{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-34B8-5FCE-0000-001012562C00}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021034Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021035Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021036Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021037Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021038Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:12.493{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-34B8-5FCE-0000-001012562C00}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021039Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:12.633{7E7FFDA1-34B8-5FCE-0000-001012562C00}69206120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021023Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:11.509{7E7FFDA1-34B7-5FCE-0000-001058542C00}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021024Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:11.508{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-34B7-5FCE-0000-001058542C00}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021025Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:11.508{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-34B7-5FCE-0000-001058542C00}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021026Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:11.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021027Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:11.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021028Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:11.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021029Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:11.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021030Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:11.508{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-34B7-5FCE-0000-001058542C00}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021015Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:16.493{7E7FFDA1-3480-5FCE-0000-001074482C00}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021016Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:16.493{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3480-5FCE-0000-001074482C00}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021017Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:16.493{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3480-5FCE-0000-001074482C00}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021018Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:16.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021019Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:16.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021020Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:16.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021021Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:16.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021022Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:16.493{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3480-5FCE-0000-001074482C00}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021006Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:15.337{7E7FFDA1-347F-5FCE-0000-0010B5462C00}2140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021007Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:15.336{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-347F-5FCE-0000-0010B5462C00}2140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021008Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:15.336{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-347F-5FCE-0000-0010B5462C00}2140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021009Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:15.336{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021010Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:15.336{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021011Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:15.336{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021012Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:15.336{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021013Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:15.336{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-347F-5FCE-0000-0010B5462C00}2140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021014Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:15.477{7E7FFDA1-347F-5FCE-0000-0010B5462C00}21407152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020988Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:14.165{7E7FFDA1-347E-5FCE-0000-0010D5422C00}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020989Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:14.164{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-347E-5FCE-0000-0010D5422C00}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020990Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:14.164{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-347E-5FCE-0000-0010D5422C00}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020991Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:14.164{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020992Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:14.164{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020993Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:14.164{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020994Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:14.164{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020995Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:14.164{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-347E-5FCE-0000-0010D5422C00}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020996Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:14.305{7E7FFDA1-347E-5FCE-0000-0010D5422C00}36886076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020997Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:14.837{7E7FFDA1-347E-5FCE-0000-001090442C00}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020998Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:14.836{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-347E-5FCE-0000-001090442C00}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020999Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:14.836{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-347E-5FCE-0000-001090442C00}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021000Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:14.836{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021001Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:14.836{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021002Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:14.836{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021003Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:14.836{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021004Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:14.836{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-347E-5FCE-0000-001090442C00}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021005Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:14.977{7E7FFDA1-347E-5FCE-0000-001090442C00}52086232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020980Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:13.493{7E7FFDA1-347D-5FCE-0000-001023412C00}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020981Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:13.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-347D-5FCE-0000-001023412C00}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020982Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:13.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-347D-5FCE-0000-001023412C00}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020983Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:13.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020984Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:13.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020985Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:13.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020986Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:13.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020987Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:13.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-347D-5FCE-0000-001023412C00}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020971Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:12.493{7E7FFDA1-347C-5FCE-0000-0010563F2C00}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020972Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:12.493{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-347C-5FCE-0000-0010563F2C00}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020973Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:12.493{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-347C-5FCE-0000-0010563F2C00}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020974Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020975Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020976Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020977Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020978Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:12.493{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-347C-5FCE-0000-0010563F2C00}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020979Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:12.633{7E7FFDA1-347C-5FCE-0000-0010563F2C00}54763560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020963Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:11.493{7E7FFDA1-347B-5FCE-0000-0010A73D2C00}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020964Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:11.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-347B-5FCE-0000-0010A73D2C00}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020965Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:11.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-347B-5FCE-0000-0010A73D2C00}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020966Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020967Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020968Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020969Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020970Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:11.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-347B-5FCE-0000-0010A73D2C00}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000020953Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:55:58.367{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6cca9-0x1228626a) 13241300x800000000000000020954Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:55:58.367{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6cca0-0xb063fa6a) 13241300x800000000000000020955Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:55:58.367{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6cc98-0x4e9f926a) 13241300x800000000000000020956Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:55:58.367{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006c783f) 13241300x800000000000000020957Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:55:58.367{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000020958Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:55:58.367{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6cca9-0x1228626a) 13241300x800000000000000020959Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:55:58.367{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6cca0-0xb063fa6a) 13241300x800000000000000020960Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:55:58.367{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6cc98-0x4e9f926a) 13241300x800000000000000020961Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:55:58.367{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006c783f) 13241300x800000000000000020962Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:55:58.367{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 10341000x800000000000000020924Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020925Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020926Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020927Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020928Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020929Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020930Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020931Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020932Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020933Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020934Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020935Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020936Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020937Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020938Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020939Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020940Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020941Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020942Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020943Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020944Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020945Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020946Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020947Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020948Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020949Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020950Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020951Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020952Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020923Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:39.695{7E7FFDA1-18AF-5FCE-0000-001027540000}856896C:\Windows\system32\lsass.exe{7E7FFDA1-18AE-5FCE-0000-0010EB030000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000020920Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:37.399{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020921Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:37.399{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020922Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:37.399{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020912Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:16.493{7E7FFDA1-3444-5FCE-0000-0010A42B2C00}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020913Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:16.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3444-5FCE-0000-0010A42B2C00}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020914Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:16.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3444-5FCE-0000-0010A42B2C00}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020915Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:16.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020916Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:16.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020917Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:16.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020918Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:16.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020919Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:16.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3444-5FCE-0000-0010A42B2C00}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020903Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:15.337{7E7FFDA1-3443-5FCE-0000-0010D6292C00}4492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020904Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:15.336{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3443-5FCE-0000-0010D6292C00}4492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020905Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:15.336{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3443-5FCE-0000-0010D6292C00}4492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020906Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:15.336{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020907Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:15.336{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020908Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:15.336{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020909Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:15.336{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020910Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:15.336{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3443-5FCE-0000-0010D6292C00}4492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020911Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:15.477{7E7FFDA1-3443-5FCE-0000-0010D6292C00}44924592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020886Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:14.165{7E7FFDA1-3442-5FCE-0000-001011262C00}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020887Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:14.164{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3442-5FCE-0000-001011262C00}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020888Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:14.164{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3442-5FCE-0000-001011262C00}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020889Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:14.164{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020890Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:14.164{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020891Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:14.164{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020892Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:14.164{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020893Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:14.164{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3442-5FCE-0000-001011262C00}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020894Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:14.837{7E7FFDA1-3442-5FCE-0000-0010AE272C00}1772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020895Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:14.836{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3442-5FCE-0000-0010AE272C00}1772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020896Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:14.836{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3442-5FCE-0000-0010AE272C00}1772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020897Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:14.836{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020898Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:14.836{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020899Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:14.836{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020900Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:14.836{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020901Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:14.836{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3442-5FCE-0000-0010AE272C00}1772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020902Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:14.977{7E7FFDA1-3442-5FCE-0000-0010AE272C00}17726488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020877Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:13.493{7E7FFDA1-3441-5FCE-0000-001053242C00}3684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020878Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:13.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3441-5FCE-0000-001053242C00}3684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020879Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:13.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3441-5FCE-0000-001053242C00}3684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020880Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:13.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020881Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:13.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020882Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:13.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020883Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:13.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020884Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:13.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3441-5FCE-0000-001053242C00}3684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020885Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:13.633{7E7FFDA1-3441-5FCE-0000-001053242C00}36846872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020868Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:12.493{7E7FFDA1-3440-5FCE-0000-001085222C00}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020869Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:12.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3440-5FCE-0000-001085222C00}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020870Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:12.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3440-5FCE-0000-001085222C00}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020871Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020872Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020873Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020874Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020875Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:12.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3440-5FCE-0000-001085222C00}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020876Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:12.633{7E7FFDA1-3440-5FCE-0000-001085222C00}39523648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020860Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:11.493{7E7FFDA1-343F-5FCE-0000-0010D8202C00}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020861Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:11.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-343F-5FCE-0000-0010D8202C00}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020862Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:11.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-343F-5FCE-0000-0010D8202C00}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020863Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020864Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020865Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020866Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020867Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:11.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-343F-5FCE-0000-0010D8202C00}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000020859Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:54:41.555{7E7FFDA1-18B1-5FCE-0000-001008C50000}1204C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6cca0-0x82d09b3b) 154100x800000000000000020851Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:16.493{7E7FFDA1-3408-5FCE-0000-0010A7142C00}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020852Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:16.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3408-5FCE-0000-0010A7142C00}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020853Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:16.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3408-5FCE-0000-0010A7142C00}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020854Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:16.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020855Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:16.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020856Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:16.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020857Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:16.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020858Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:16.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3408-5FCE-0000-0010A7142C00}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020842Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:15.321{7E7FFDA1-3407-5FCE-0000-001077122C00}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020843Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:15.320{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3407-5FCE-0000-001077122C00}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020844Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:15.320{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-3407-5FCE-0000-001077122C00}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020845Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:15.320{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020846Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:15.320{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020847Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:15.320{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020848Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:15.320{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020849Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:15.320{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3407-5FCE-0000-001077122C00}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020850Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:15.461{7E7FFDA1-3407-5FCE-0000-001077122C00}48566492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020824Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:14.149{7E7FFDA1-3406-5FCE-0000-0010390F2C00}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020825Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:14.148{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3406-5FCE-0000-0010390F2C00}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020826Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:14.148{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3406-5FCE-0000-0010390F2C00}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020827Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:14.148{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020828Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:14.148{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020829Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:14.148{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020830Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:14.148{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020831Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:14.148{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3406-5FCE-0000-0010390F2C00}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020832Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:14.289{7E7FFDA1-3406-5FCE-0000-0010390F2C00}20281476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020833Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:14.821{7E7FFDA1-3406-5FCE-0000-0010E7102C00}1828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020834Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:14.820{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3406-5FCE-0000-0010E7102C00}1828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020835Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:14.820{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3406-5FCE-0000-0010E7102C00}1828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020836Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:14.820{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020837Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:14.820{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020838Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:14.820{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020839Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:14.820{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020840Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:14.820{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3406-5FCE-0000-0010E7102C00}1828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020841Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:14.961{7E7FFDA1-3406-5FCE-0000-0010E7102C00}18285876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020816Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:13.477{7E7FFDA1-3405-5FCE-0000-0010670D2C00}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020817Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:13.476{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3405-5FCE-0000-0010670D2C00}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020818Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:13.476{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-3405-5FCE-0000-0010670D2C00}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020819Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:13.476{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020820Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:13.476{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020821Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:13.476{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020822Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:13.476{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020823Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:13.476{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3405-5FCE-0000-0010670D2C00}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020807Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:12.493{7E7FFDA1-3404-5FCE-0000-0010A70B2C00}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020808Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:12.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3404-5FCE-0000-0010A70B2C00}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020809Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:12.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3404-5FCE-0000-0010A70B2C00}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020810Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020811Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020812Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020813Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020814Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:12.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3404-5FCE-0000-0010A70B2C00}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020815Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:12.633{7E7FFDA1-3404-5FCE-0000-0010A70B2C00}10521840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020799Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:11.493{7E7FFDA1-3403-5FCE-0000-0010EC092C00}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020800Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:11.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3403-5FCE-0000-0010EC092C00}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020801Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:11.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3403-5FCE-0000-0010EC092C00}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020802Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020803Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020804Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020805Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020806Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:11.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3403-5FCE-0000-0010EC092C00}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020770Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020771Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020772Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020773Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020774Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020775Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020776Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020777Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020778Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020779Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020780Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020781Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020782Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020783Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020784Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020785Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020786Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020787Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020788Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020789Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020790Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020791Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020792Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020793Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020794Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020795Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020796Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020797Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020798Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000020767Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:53:18.055{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A47110B2-D436-47F8-BEA1-61CCEBF6C04E\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_A47110B2-D436-47F8-BEA1-61CCEBF6C04E.XML 13241300x800000000000000020768Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:53:18.055{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A47110B2-D436-47F8-BEA1-61CCEBF6C04E\Config SourceDWORD (0x00000001) 13241300x800000000000000020769Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:53:18.070{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9D191D6C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9D191D6C-0000-0000-0000-100000000000.XML 154100x800000000000000020759Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:16.478{7E7FFDA1-33CC-5FCE-0000-00109EFB2B00}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020760Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:16.477{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-33CC-5FCE-0000-00109EFB2B00}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020761Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:16.477{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-33CC-5FCE-0000-00109EFB2B00}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020762Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:16.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020763Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:16.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020764Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:16.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020765Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:16.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020766Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:16.477{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-33CC-5FCE-0000-00109EFB2B00}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020750Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:15.337{7E7FFDA1-33CB-5FCE-0000-001054F92B00}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020751Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:15.336{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-33CB-5FCE-0000-001054F92B00}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020752Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:15.336{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-33CB-5FCE-0000-001054F92B00}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020753Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:15.336{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020754Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:15.336{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020755Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:15.336{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020756Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:15.336{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020757Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:15.336{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-33CB-5FCE-0000-001054F92B00}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020758Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:15.477{7E7FFDA1-33CB-5FCE-0000-001054F92B00}69646432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020732Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:14.149{7E7FFDA1-33CA-5FCE-0000-001007F62B00}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020733Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:14.148{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-33CA-5FCE-0000-001007F62B00}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020734Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:14.148{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-33CA-5FCE-0000-001007F62B00}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020735Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:14.148{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020736Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:14.148{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020737Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:14.148{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020738Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:14.148{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020739Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:14.148{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-33CA-5FCE-0000-001007F62B00}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020740Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:14.289{7E7FFDA1-33CA-5FCE-0000-001007F62B00}69526204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020741Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:14.821{7E7FFDA1-33CA-5FCE-0000-0010AFF72B00}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020742Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:14.820{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-33CA-5FCE-0000-0010AFF72B00}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020743Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:14.820{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-33CA-5FCE-0000-0010AFF72B00}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020744Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:14.820{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020745Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:14.820{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020746Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:14.820{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020747Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:14.820{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020748Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:14.820{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-33CA-5FCE-0000-0010AFF72B00}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020749Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:14.961{7E7FFDA1-33CA-5FCE-0000-0010AFF72B00}51886920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020724Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:13.478{7E7FFDA1-33C9-5FCE-0000-001055F42B00}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020725Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:13.477{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-33C9-5FCE-0000-001055F42B00}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020726Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:13.477{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-33C9-5FCE-0000-001055F42B00}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020727Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:13.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020728Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:13.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020729Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:13.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020730Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:13.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020731Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:13.477{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-33C9-5FCE-0000-001055F42B00}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020715Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:12.493{7E7FFDA1-33C8-5FCE-0000-001091F22B00}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020716Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:12.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-33C8-5FCE-0000-001091F22B00}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020717Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:12.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-33C8-5FCE-0000-001091F22B00}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020718Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020719Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020720Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020721Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020722Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:12.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-33C8-5FCE-0000-001091F22B00}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020723Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:12.633{7E7FFDA1-33C8-5FCE-0000-001091F22B00}27044932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020707Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:11.493{7E7FFDA1-33C7-5FCE-0000-0010D1F02B00}6388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020708Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:11.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-33C7-5FCE-0000-0010D1F02B00}6388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020709Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:11.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-33C7-5FCE-0000-0010D1F02B00}6388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020710Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020711Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020712Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020713Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020714Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:11.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-33C7-5FCE-0000-0010D1F02B00}6388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000020706Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:52:33.695{7E7FFDA1-18B1-5FCE-0000-001008C50000}1204C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6cca0-0x369adaf8) 154100x800000000000000020698Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:16.587{7E7FFDA1-3390-5FCE-0000-0010B2D32B00}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020699Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:16.586{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3390-5FCE-0000-0010B2D32B00}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020700Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:16.586{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3390-5FCE-0000-0010B2D32B00}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020701Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:16.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020702Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:16.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020703Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:16.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020704Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:16.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020705Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:16.586{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3390-5FCE-0000-0010B2D32B00}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020689Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:15.493{7E7FFDA1-338F-5FCE-0000-001089D12B00}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020690Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:15.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-338F-5FCE-0000-001089D12B00}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020691Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:15.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-338F-5FCE-0000-001089D12B00}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020692Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:15.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020693Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:15.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020694Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:15.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020695Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:15.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020696Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:15.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-338F-5FCE-0000-001089D12B00}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020697Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:15.633{7E7FFDA1-338F-5FCE-0000-001089D12B00}15485896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020671Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:14.150{7E7FFDA1-338E-5FCE-0000-00102DCE2B00}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020672Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:14.149{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-338E-5FCE-0000-00102DCE2B00}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020673Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:14.149{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-338E-5FCE-0000-00102DCE2B00}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020674Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:14.149{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020675Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:14.149{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020676Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:14.149{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020677Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:14.149{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020678Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:14.149{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-338E-5FCE-0000-00102DCE2B00}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020679Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:14.289{7E7FFDA1-338E-5FCE-0000-00102DCE2B00}60485636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020680Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:14.821{7E7FFDA1-338E-5FCE-0000-0010BBCF2B00}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020681Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:14.820{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-338E-5FCE-0000-0010BBCF2B00}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020682Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:14.820{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-338E-5FCE-0000-0010BBCF2B00}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020683Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:14.820{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020684Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:14.820{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020685Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:14.820{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020686Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:14.820{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020687Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:14.820{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-338E-5FCE-0000-0010BBCF2B00}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020688Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:14.961{7E7FFDA1-338E-5FCE-0000-0010BBCF2B00}35606044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020663Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:13.618{7E7FFDA1-338D-5FCE-0000-001061CC2B00}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020664Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:13.617{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-338D-5FCE-0000-001061CC2B00}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020665Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:13.617{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-338D-5FCE-0000-001061CC2B00}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020666Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:13.617{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020667Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:13.617{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020668Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:13.617{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020669Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:13.617{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020670Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:13.617{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-338D-5FCE-0000-001061CC2B00}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020654Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:12.493{7E7FFDA1-338C-5FCE-0000-00109ACA2B00}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020655Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:12.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-338C-5FCE-0000-00109ACA2B00}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020656Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:12.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-338C-5FCE-0000-00109ACA2B00}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020657Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020658Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020659Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020660Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020661Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:12.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-338C-5FCE-0000-00109ACA2B00}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020662Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:12.633{7E7FFDA1-338C-5FCE-0000-00109ACA2B00}67922656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020646Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:11.493{7E7FFDA1-338B-5FCE-0000-0010DFC82B00}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020647Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:11.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-338B-5FCE-0000-0010DFC82B00}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020648Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:11.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-338B-5FCE-0000-0010DFC82B00}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020649Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020650Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020651Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020652Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020653Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:11.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-338B-5FCE-0000-0010DFC82B00}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020645Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:40.445{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}6126676C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-001002BA0000}1152C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020637Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:16.587{7E7FFDA1-3354-5FCE-0000-0010D2BC2B00}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020638Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:16.586{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3354-5FCE-0000-0010D2BC2B00}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020639Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:16.586{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3354-5FCE-0000-0010D2BC2B00}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020640Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:16.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020641Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:16.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020642Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:16.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020643Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:16.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020644Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:16.586{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3354-5FCE-0000-0010D2BC2B00}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020627Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:15.102{7E7FFDA1-3352-5FCE-0000-0010F8B82B00}27526872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020628Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:15.634{7E7FFDA1-3353-5FCE-0000-0010B9BA2B00}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020629Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:15.633{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3353-5FCE-0000-0010B9BA2B00}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020630Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:15.633{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-3353-5FCE-0000-0010B9BA2B00}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020631Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:15.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020632Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:15.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020633Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:15.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020634Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:15.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020635Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:15.633{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3353-5FCE-0000-0010B9BA2B00}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020636Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:15.774{7E7FFDA1-3353-5FCE-0000-0010B9BA2B00}56807024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020610Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:14.290{7E7FFDA1-3352-5FCE-0000-001066B72B00}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020611Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:14.289{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3352-5FCE-0000-001066B72B00}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020612Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:14.289{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3352-5FCE-0000-001066B72B00}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020613Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:14.289{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020614Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:14.289{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020615Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:14.289{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020616Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:14.289{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020617Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:14.289{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3352-5FCE-0000-001066B72B00}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020618Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:14.430{7E7FFDA1-3352-5FCE-0000-001066B72B00}53322668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020619Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:14.962{7E7FFDA1-3352-5FCE-0000-0010F8B82B00}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020620Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:14.961{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3352-5FCE-0000-0010F8B82B00}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020621Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:14.961{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3352-5FCE-0000-0010F8B82B00}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020622Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:14.961{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020623Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:14.961{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020624Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:14.961{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020625Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:14.961{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020626Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:14.961{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3352-5FCE-0000-0010F8B82B00}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020602Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:13.618{7E7FFDA1-3351-5FCE-0000-001092B52B00}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020603Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:13.617{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3351-5FCE-0000-001092B52B00}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020604Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:13.617{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3351-5FCE-0000-001092B52B00}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020605Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:13.617{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020606Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:13.617{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020607Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:13.617{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020608Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:13.617{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020609Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:13.617{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3351-5FCE-0000-001092B52B00}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020593Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:12.493{7E7FFDA1-3350-5FCE-0000-0010CCB32B00}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020594Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:12.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3350-5FCE-0000-0010CCB32B00}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020595Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:12.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3350-5FCE-0000-0010CCB32B00}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020596Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020597Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020598Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020599Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020600Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:12.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3350-5FCE-0000-0010CCB32B00}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020601Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:12.633{7E7FFDA1-3350-5FCE-0000-0010CCB32B00}52644128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020585Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:11.493{7E7FFDA1-334F-5FCE-0000-00101BB22B00}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020586Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:11.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-334F-5FCE-0000-00101BB22B00}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020587Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:11.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-334F-5FCE-0000-00101BB22B00}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020588Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020589Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020590Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020591Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020592Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:11.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-334F-5FCE-0000-00101BB22B00}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000020575Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:50:58.352{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6cca8-0x5f55ba7a) 13241300x800000000000000020576Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:50:58.352{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6cc9f-0xfd91527a) 13241300x800000000000000020577Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:50:58.352{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6cc97-0x9bccea7a) 13241300x800000000000000020578Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:50:58.352{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0067e450) 13241300x800000000000000020579Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:50:58.352{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000020580Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:50:58.352{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6cca8-0x5f55ba7a) 13241300x800000000000000020581Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:50:58.352{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6cc9f-0xfd91527a) 13241300x800000000000000020582Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:50:58.352{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6cc97-0x9bccea7a) 13241300x800000000000000020583Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:50:58.352{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0067e450) 13241300x800000000000000020584Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:50:58.352{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 10341000x800000000000000020574Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:39.555{7E7FFDA1-18AF-5FCE-0000-001027540000}856424C:\Windows\system32\lsass.exe{7E7FFDA1-18AE-5FCE-0000-0010EB030000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000020571Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:37.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020572Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:37.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020573Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:37.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020563Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:16.571{7E7FFDA1-3318-5FCE-0000-0010C2A02B00}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020564Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:16.571{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3318-5FCE-0000-0010C2A02B00}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020565Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:16.571{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3318-5FCE-0000-0010C2A02B00}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020566Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:16.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020567Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:16.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020568Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:16.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020569Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:16.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020570Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:16.571{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3318-5FCE-0000-0010C2A02B00}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020553Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:15.102{7E7FFDA1-3316-5FCE-0000-0010E59C2B00}10522128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020554Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:15.634{7E7FFDA1-3317-5FCE-0000-00108C9E2B00}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020555Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:15.633{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3317-5FCE-0000-00108C9E2B00}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020556Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:15.633{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3317-5FCE-0000-00108C9E2B00}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020557Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:15.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020558Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:15.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020559Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:15.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020560Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:15.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020561Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:15.633{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3317-5FCE-0000-00108C9E2B00}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020562Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:15.774{7E7FFDA1-3317-5FCE-0000-00108C9E2B00}42767160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020537Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:14.290{7E7FFDA1-3316-5FCE-0000-0010339B2B00}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020538Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:14.289{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3316-5FCE-0000-0010339B2B00}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020539Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:14.289{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3316-5FCE-0000-0010339B2B00}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020540Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:14.289{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020541Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:14.289{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020542Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:14.289{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020543Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:14.289{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020544Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:14.289{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3316-5FCE-0000-0010339B2B00}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020545Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:14.962{7E7FFDA1-3316-5FCE-0000-0010E59C2B00}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020546Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:14.961{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3316-5FCE-0000-0010E59C2B00}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020547Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:14.961{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3316-5FCE-0000-0010E59C2B00}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020548Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:14.961{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020549Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:14.961{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020550Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:14.961{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020551Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:14.961{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020552Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:14.961{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3316-5FCE-0000-0010E59C2B00}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020528Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:13.618{7E7FFDA1-3315-5FCE-0000-001079992B00}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020529Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:13.617{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3315-5FCE-0000-001079992B00}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020530Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:13.617{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3315-5FCE-0000-001079992B00}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020531Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:13.617{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020532Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:13.617{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020533Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:13.617{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020534Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:13.617{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020535Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:13.617{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3315-5FCE-0000-001079992B00}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020536Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:13.758{7E7FFDA1-3315-5FCE-0000-001079992B00}28965416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020519Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:12.493{7E7FFDA1-3314-5FCE-0000-00109E972B00}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020520Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:12.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3314-5FCE-0000-00109E972B00}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020521Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:12.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3314-5FCE-0000-00109E972B00}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020522Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020523Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020524Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020525Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020526Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:12.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3314-5FCE-0000-00109E972B00}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020527Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:12.633{7E7FFDA1-3314-5FCE-0000-00109E972B00}54526444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020511Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:11.493{7E7FFDA1-3313-5FCE-0000-0010EB952B00}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020512Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:11.493{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3313-5FCE-0000-0010EB952B00}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020513Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:11.493{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3313-5FCE-0000-0010EB952B00}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020514Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:11.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020515Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:11.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020516Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:11.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020517Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:11.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020518Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:11.493{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3313-5FCE-0000-0010EB952B00}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020482Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020483Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020484Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020485Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020486Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020487Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020488Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020489Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020490Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020491Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020492Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020493Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020494Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020495Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020496Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020497Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020498Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020499Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020500Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020501Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020502Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020503Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020504Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020505Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020506Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020507Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020508Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020509Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020510Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020474Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:16.556{7E7FFDA1-32DC-5FCE-0000-001068892B00}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020475Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:16.555{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-32DC-5FCE-0000-001068892B00}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020476Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:16.555{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-32DC-5FCE-0000-001068892B00}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020477Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:16.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020478Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:16.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020479Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:16.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020480Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:16.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020481Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:16.555{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-32DC-5FCE-0000-001068892B00}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020464Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:15.024{7E7FFDA1-32DA-5FCE-0000-001087852B00}40406000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020465Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:15.494{7E7FFDA1-32DB-5FCE-0000-001039872B00}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020466Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:15.493{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-32DB-5FCE-0000-001039872B00}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020467Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:15.493{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-32DB-5FCE-0000-001039872B00}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020468Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:15.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020469Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:15.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020470Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:15.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020471Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:15.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020472Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:15.493{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-32DB-5FCE-0000-001039872B00}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020473Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:15.633{7E7FFDA1-32DB-5FCE-0000-001039872B00}52204280C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020447Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:14.290{7E7FFDA1-32DA-5FCE-0000-0010BE832B00}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020448Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:14.289{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-32DA-5FCE-0000-0010BE832B00}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020449Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:14.289{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-32DA-5FCE-0000-0010BE832B00}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020450Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:14.289{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020451Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:14.289{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020452Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:14.289{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020453Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:14.289{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020454Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:14.289{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-32DA-5FCE-0000-0010BE832B00}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020455Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:14.430{7E7FFDA1-32DA-5FCE-0000-0010BE832B00}38841316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020456Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:14.885{7E7FFDA1-32DA-5FCE-0000-001087852B00}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020457Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:14.883{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-32DA-5FCE-0000-001087852B00}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020458Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:14.883{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-32DA-5FCE-0000-001087852B00}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020459Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:14.883{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020460Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:14.883{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020461Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:14.883{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020462Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:14.883{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020463Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:14.883{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-32DA-5FCE-0000-001087852B00}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000020433Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:49:13.493{7E7FFDA1-18B1-5FCE-0000-001044CB0000}1260C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NumNetworksDWORD (0x00000001) 13241300x800000000000000020434Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:49:13.493{7E7FFDA1-18B1-5FCE-0000-001044CB0000}1260C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NetworksBinary Data 13241300x800000000000000020435Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:49:13.493{7E7FFDA1-18B1-5FCE-0000-001044CB0000}1260C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\TimestampQWORD (0x01d6cc9f-0xbf464ef4) 13241300x800000000000000020436Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:49:13.493{7E7FFDA1-18B1-5FCE-0000-001044CB0000}1260C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\KeySizeDWORD (0x00000000) 13241300x800000000000000020437Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:49:13.493{7E7FFDA1-18B1-5FCE-0000-001044CB0000}1260C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueSizeDWORD (0x00000008) 13241300x800000000000000020438Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:49:13.493{7E7FFDA1-18B1-5FCE-0000-001044CB0000}1260C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueBinary Data 154100x800000000000000020439Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:13.619{7E7FFDA1-32D9-5FCE-0000-0010FA812B00}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020440Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:13.618{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-32D9-5FCE-0000-0010FA812B00}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020441Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:13.618{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-32D9-5FCE-0000-0010FA812B00}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020442Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:13.618{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020443Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:13.618{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020444Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:13.618{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020445Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:13.618{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020446Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:13.618{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-32D9-5FCE-0000-0010FA812B00}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020424Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:12.493{7E7FFDA1-32D8-5FCE-0000-0010FF7F2B00}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020425Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:12.493{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-32D8-5FCE-0000-0010FF7F2B00}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020426Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:12.493{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-32D8-5FCE-0000-0010FF7F2B00}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020427Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020428Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020429Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020430Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020431Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:12.493{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-32D8-5FCE-0000-0010FF7F2B00}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020432Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:12.633{7E7FFDA1-32D8-5FCE-0000-0010FF7F2B00}54244188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020416Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:11.493{7E7FFDA1-32D7-5FCE-0000-00104B7E2B00}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020417Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:11.493{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-32D7-5FCE-0000-00104B7E2B00}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020418Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:11.493{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-32D7-5FCE-0000-00104B7E2B00}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020419Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:11.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020420Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:11.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020421Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:11.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020422Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:11.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020423Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:11.493{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-32D7-5FCE-0000-00104B7E2B00}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000020413Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:48:17.618{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A47110B2-D436-47F8-BEA1-61CCEBF6C04E\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_A47110B2-D436-47F8-BEA1-61CCEBF6C04E.XML 13241300x800000000000000020414Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:48:17.618{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A47110B2-D436-47F8-BEA1-61CCEBF6C04E\Config SourceDWORD (0x00000001) 13241300x800000000000000020415Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:48:17.633{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9D191D6C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9D191D6C-0000-0000-0000-100000000000.XML 154100x800000000000000020405Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:16.556{7E7FFDA1-32A0-5FCE-0000-00104D702B00}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020406Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:16.555{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-32A0-5FCE-0000-00104D702B00}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020407Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:16.555{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-32A0-5FCE-0000-00104D702B00}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020408Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:16.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020409Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:16.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020410Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:16.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020411Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:16.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020412Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:16.555{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-32A0-5FCE-0000-00104D702B00}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020395Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:15.086{7E7FFDA1-329E-5FCE-0000-0010696C2B00}52882656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020396Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:15.603{7E7FFDA1-329F-5FCE-0000-0010846E2B00}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020397Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:15.602{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-329F-5FCE-0000-0010846E2B00}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020398Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:15.602{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-329F-5FCE-0000-0010846E2B00}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020399Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:15.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020400Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:15.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020401Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:15.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020402Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:15.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020403Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:15.602{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-329F-5FCE-0000-0010846E2B00}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020404Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:15.743{7E7FFDA1-329F-5FCE-0000-0010846E2B00}68166708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020379Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:14.275{7E7FFDA1-329E-5FCE-0000-0010B36A2B00}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020380Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:14.274{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-329E-5FCE-0000-0010B36A2B00}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020381Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:14.274{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-329E-5FCE-0000-0010B36A2B00}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020382Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:14.274{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020383Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:14.274{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020384Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:14.274{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020385Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:14.274{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020386Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:14.274{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-329E-5FCE-0000-0010B36A2B00}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020387Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:14.947{7E7FFDA1-329E-5FCE-0000-0010696C2B00}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020388Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:14.946{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-329E-5FCE-0000-0010696C2B00}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020389Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:14.946{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-329E-5FCE-0000-0010696C2B00}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020390Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:14.946{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020391Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:14.946{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020392Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:14.946{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020393Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:14.946{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020394Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:14.946{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-329E-5FCE-0000-0010696C2B00}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020370Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:13.618{7E7FFDA1-329D-5FCE-0000-001007692B00}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020371Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:13.618{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-329D-5FCE-0000-001007692B00}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020372Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:13.618{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-329D-5FCE-0000-001007692B00}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020373Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:13.618{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020374Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:13.618{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020375Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:13.618{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020376Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:13.618{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020377Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:13.618{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-329D-5FCE-0000-001007692B00}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020378Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:13.758{7E7FFDA1-329D-5FCE-0000-001007692B00}66165324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020361Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:12.493{7E7FFDA1-329C-5FCE-0000-00102A672B00}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020362Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:12.493{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-329C-5FCE-0000-00102A672B00}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020363Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:12.493{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-329C-5FCE-0000-00102A672B00}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020364Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020365Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020366Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020367Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020368Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:12.493{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-329C-5FCE-0000-00102A672B00}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020369Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:12.633{7E7FFDA1-329C-5FCE-0000-00102A672B00}67204844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020353Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:11.493{7E7FFDA1-329B-5FCE-0000-00107C652B00}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020354Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:11.493{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-329B-5FCE-0000-00107C652B00}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020355Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:11.493{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-329B-5FCE-0000-00107C652B00}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020356Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:11.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020357Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:11.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020358Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:11.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020359Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:11.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020360Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:11.493{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-329B-5FCE-0000-00107C652B00}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020324Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020325Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020326Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020327Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020328Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020329Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020330Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020331Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020332Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020333Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020334Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020335Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020336Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020337Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020338Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020339Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020340Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020341Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020342Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020343Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020344Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020345Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020346Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020347Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020348Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020349Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020350Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020351Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020352Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020322Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:37.118{7E7FFDA1-18B1-5FCE-0000-001002BA0000}11526112C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020323Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:37.118{7E7FFDA1-18B1-5FCE-0000-001002BA0000}11526112C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020321Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:35.508{7E7FFDA1-18AF-5FCE-0000-001027540000}856896C:\Windows\system32\lsass.exe{7E7FFDA1-18AE-5FCE-0000-0010EB030000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 154100x800000000000000020313Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:16.665{7E7FFDA1-3264-5FCE-0000-00108B572B00}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020314Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:16.665{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3264-5FCE-0000-00108B572B00}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020315Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:16.665{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-3264-5FCE-0000-00108B572B00}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020316Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:16.665{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020317Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:16.665{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020318Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:16.665{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020319Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:16.665{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020320Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:16.665{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3264-5FCE-0000-00108B572B00}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020303Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:15.071{7E7FFDA1-3262-5FCE-0000-0010CF532B00}67766072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020304Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:15.587{7E7FFDA1-3263-5FCE-0000-0010C5552B00}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020305Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:15.587{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3263-5FCE-0000-0010C5552B00}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020306Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:15.587{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3263-5FCE-0000-0010C5552B00}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020307Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:15.587{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020308Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:15.587{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020309Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:15.587{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020310Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:15.587{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020311Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:15.587{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3263-5FCE-0000-0010C5552B00}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020312Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:15.727{7E7FFDA1-3263-5FCE-0000-0010C5552B00}56485492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020287Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:14.259{7E7FFDA1-3262-5FCE-0000-0010FB512B00}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020288Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:14.258{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3262-5FCE-0000-0010FB512B00}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020289Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:14.258{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-3262-5FCE-0000-0010FB512B00}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020290Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:14.258{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020291Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:14.258{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020292Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:14.258{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020293Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:14.258{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020294Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:14.258{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3262-5FCE-0000-0010FB512B00}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020295Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:14.931{7E7FFDA1-3262-5FCE-0000-0010CF532B00}6776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020296Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:14.930{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3262-5FCE-0000-0010CF532B00}6776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020297Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:14.930{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3262-5FCE-0000-0010CF532B00}6776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020298Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:14.930{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020299Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:14.930{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020300Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:14.930{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020301Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:14.930{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020302Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:14.930{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3262-5FCE-0000-0010CF532B00}6776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020278Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:13.603{7E7FFDA1-3261-5FCE-0000-00103E502B00}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020279Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:13.602{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3261-5FCE-0000-00103E502B00}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020280Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:13.602{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3261-5FCE-0000-00103E502B00}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020281Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:13.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020282Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:13.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020283Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:13.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020284Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:13.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020285Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:13.602{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3261-5FCE-0000-00103E502B00}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020286Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:13.743{7E7FFDA1-3261-5FCE-0000-00103E502B00}51362492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020269Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:12.494{7E7FFDA1-3260-5FCE-0000-0010764E2B00}6052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020270Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:12.493{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3260-5FCE-0000-0010764E2B00}6052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020271Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:12.493{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3260-5FCE-0000-0010764E2B00}6052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020272Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020273Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020274Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020275Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020276Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:12.493{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3260-5FCE-0000-0010764E2B00}6052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020277Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:12.633{7E7FFDA1-3260-5FCE-0000-0010764E2B00}60522192C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020261Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:11.494{7E7FFDA1-325F-5FCE-0000-0010C54C2B00}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020262Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:11.493{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-325F-5FCE-0000-0010C54C2B00}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020263Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:11.493{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-325F-5FCE-0000-0010C54C2B00}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020264Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:11.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020265Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:11.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020266Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:11.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020267Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:11.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020268Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:11.493{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-325F-5FCE-0000-0010C54C2B00}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020253Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:16.665{7E7FFDA1-3228-5FCE-0000-0010EE402B00}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020254Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:16.665{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3228-5FCE-0000-0010EE402B00}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020255Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:16.665{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-3228-5FCE-0000-0010EE402B00}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020256Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:16.665{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020257Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:16.665{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020258Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:16.665{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020259Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:16.665{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020260Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:16.665{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3228-5FCE-0000-0010EE402B00}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020243Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:15.071{7E7FFDA1-3226-5FCE-0000-0010133D2B00}9361424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020244Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:15.587{7E7FFDA1-3227-5FCE-0000-0010253F2B00}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020245Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:15.586{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3227-5FCE-0000-0010253F2B00}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020246Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:15.586{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3227-5FCE-0000-0010253F2B00}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020247Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:15.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020248Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:15.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020249Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:15.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020250Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:15.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020251Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:15.586{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3227-5FCE-0000-0010253F2B00}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020252Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:15.727{7E7FFDA1-3227-5FCE-0000-0010253F2B00}42125452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020227Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:14.259{7E7FFDA1-3226-5FCE-0000-0010453B2B00}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020228Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:14.258{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3226-5FCE-0000-0010453B2B00}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020229Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:14.258{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3226-5FCE-0000-0010453B2B00}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020230Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:14.258{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020231Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:14.258{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020232Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:14.258{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020233Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:14.258{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020234Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:14.258{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3226-5FCE-0000-0010453B2B00}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020235Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:14.931{7E7FFDA1-3226-5FCE-0000-0010133D2B00}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020236Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:14.930{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3226-5FCE-0000-0010133D2B00}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020237Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:14.930{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3226-5FCE-0000-0010133D2B00}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020238Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:14.930{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020239Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:14.930{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020240Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:14.930{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020241Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:14.930{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020242Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:14.930{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3226-5FCE-0000-0010133D2B00}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020218Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:13.587{7E7FFDA1-3225-5FCE-0000-0010A0392B00}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020219Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:13.586{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3225-5FCE-0000-0010A0392B00}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020220Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:13.586{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-3225-5FCE-0000-0010A0392B00}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020221Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:13.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020222Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:13.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020223Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:13.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020224Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:13.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020225Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:13.586{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3225-5FCE-0000-0010A0392B00}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020226Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:13.727{7E7FFDA1-3225-5FCE-0000-0010A0392B00}55364680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020209Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:12.494{7E7FFDA1-3224-5FCE-0000-0010B4372B00}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020210Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:12.493{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3224-5FCE-0000-0010B4372B00}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020211Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:12.493{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3224-5FCE-0000-0010B4372B00}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020212Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020213Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020214Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020215Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020216Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:12.493{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3224-5FCE-0000-0010B4372B00}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020217Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:12.633{7E7FFDA1-3224-5FCE-0000-0010B4372B00}59525428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020201Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:11.494{7E7FFDA1-3223-5FCE-0000-001008362B00}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020202Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:11.493{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3223-5FCE-0000-001008362B00}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020203Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:11.493{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3223-5FCE-0000-001008362B00}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020204Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:11.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020205Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:11.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020206Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:11.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020207Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:11.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020208Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:11.493{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3223-5FCE-0000-001008362B00}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000020191Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:45:58.336{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6cca7-0xac82eb7a) 13241300x800000000000000020192Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:45:58.336{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6cc9f-0x4abe837a) 13241300x800000000000000020193Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:45:58.336{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6cc96-0xe8fa1b7a) 13241300x800000000000000020194Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:45:58.336{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00635060) 13241300x800000000000000020195Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:45:58.336{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000020196Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:45:58.336{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6cca7-0xac82eb7a) 13241300x800000000000000020197Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:45:58.336{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6cc9f-0x4abe837a) 13241300x800000000000000020198Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:45:58.336{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6cc96-0xe8fa1b7a) 13241300x800000000000000020199Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:45:58.336{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00635060) 13241300x800000000000000020200Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:45:58.336{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 10341000x800000000000000020162Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020163Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020164Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020165Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020166Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020167Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020168Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020169Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020170Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020171Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020172Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020173Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020174Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020175Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020176Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020177Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020178Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020179Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020180Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020181Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020182Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020183Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020184Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020185Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020186Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020187Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020188Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020189Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020190Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020161Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:39.414{7E7FFDA1-18AF-5FCE-0000-001027540000}856424C:\Windows\system32\lsass.exe{7E7FFDA1-18AE-5FCE-0000-0010EB030000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000020158Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:37.368{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020159Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:37.368{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020160Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:37.368{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020150Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:16.665{7E7FFDA1-31EC-5FCE-0000-0010F9232B00}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020151Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:16.664{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-31EC-5FCE-0000-0010F9232B00}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020152Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:16.664{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-31EC-5FCE-0000-0010F9232B00}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020153Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:16.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020154Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:16.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020155Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:16.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020156Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:16.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020157Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:16.664{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-31EC-5FCE-0000-0010F9232B00}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020140Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:15.071{7E7FFDA1-31EA-5FCE-0000-001014202B00}59963632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020141Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:15.587{7E7FFDA1-31EB-5FCE-0000-00104B222B00}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020142Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:15.586{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-31EB-5FCE-0000-00104B222B00}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020143Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:15.586{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-31EB-5FCE-0000-00104B222B00}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020144Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:15.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020145Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:15.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020146Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:15.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020147Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:15.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020148Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:15.586{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-31EB-5FCE-0000-00104B222B00}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020149Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:15.727{7E7FFDA1-31EB-5FCE-0000-00104B222B00}68522784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020123Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:14.259{7E7FFDA1-31EA-5FCE-0000-0010861E2B00}1556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020124Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:14.258{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-31EA-5FCE-0000-0010861E2B00}1556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020125Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:14.258{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-31EA-5FCE-0000-0010861E2B00}1556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020126Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:14.258{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020127Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:14.258{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020128Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:14.258{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020129Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:14.258{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020130Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:14.258{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-31EA-5FCE-0000-0010861E2B00}1556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020131Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:14.399{7E7FFDA1-31EA-5FCE-0000-0010861E2B00}15565812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020132Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:14.931{7E7FFDA1-31EA-5FCE-0000-001014202B00}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020133Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:14.930{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-31EA-5FCE-0000-001014202B00}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020134Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:14.930{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-31EA-5FCE-0000-001014202B00}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020135Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:14.930{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020136Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:14.930{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020137Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:14.930{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020138Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:14.930{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020139Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:14.930{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-31EA-5FCE-0000-001014202B00}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020115Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:13.587{7E7FFDA1-31E9-5FCE-0000-0010B41C2B00}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020116Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:13.586{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-31E9-5FCE-0000-0010B41C2B00}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020117Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:13.586{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-31E9-5FCE-0000-0010B41C2B00}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020118Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:13.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020119Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:13.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020120Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:13.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020121Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:13.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020122Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:13.586{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-31E9-5FCE-0000-0010B41C2B00}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020106Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:12.493{7E7FFDA1-31E8-5FCE-0000-0010ED1A2B00}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020107Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:12.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-31E8-5FCE-0000-0010ED1A2B00}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020108Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:12.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-31E8-5FCE-0000-0010ED1A2B00}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020109Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020110Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020111Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020112Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020113Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:12.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-31E8-5FCE-0000-0010ED1A2B00}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020114Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:12.633{7E7FFDA1-31E8-5FCE-0000-0010ED1A2B00}28401624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020098Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:11.493{7E7FFDA1-31E7-5FCE-0000-00103C192B00}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020099Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:11.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-31E7-5FCE-0000-00103C192B00}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020100Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:11.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-31E7-5FCE-0000-00103C192B00}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020101Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020102Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020103Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020104Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020105Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:11.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-31E7-5FCE-0000-00103C192B00}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020090Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:16.665{7E7FFDA1-31B0-5FCE-0000-0010550D2B00}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020091Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:16.664{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-31B0-5FCE-0000-0010550D2B00}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020092Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:16.664{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-31B0-5FCE-0000-0010550D2B00}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020093Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:16.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020094Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:16.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020095Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:16.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020096Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:16.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020097Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:16.664{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-31B0-5FCE-0000-0010550D2B00}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020080Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:15.055{7E7FFDA1-31AE-5FCE-0000-00106A092B00}61846668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020081Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:15.587{7E7FFDA1-31AF-5FCE-0000-0010920B2B00}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020082Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:15.586{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-31AF-5FCE-0000-0010920B2B00}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020083Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:15.586{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-31AF-5FCE-0000-0010920B2B00}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020084Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:15.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020085Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:15.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020086Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:15.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020087Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:15.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020088Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:15.586{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-31AF-5FCE-0000-0010920B2B00}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020089Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:15.727{7E7FFDA1-31AF-5FCE-0000-0010920B2B00}19246848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020063Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:14.243{7E7FFDA1-31AE-5FCE-0000-0010DA072B00}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020064Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:14.242{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-31AE-5FCE-0000-0010DA072B00}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020065Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:14.242{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-31AE-5FCE-0000-0010DA072B00}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020066Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:14.242{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020067Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:14.242{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020068Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:14.242{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020069Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:14.242{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020070Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:14.242{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-31AE-5FCE-0000-0010DA072B00}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020071Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:14.383{7E7FFDA1-31AE-5FCE-0000-0010DA072B00}69483900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020072Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:14.915{7E7FFDA1-31AE-5FCE-0000-00106A092B00}6184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020073Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:14.914{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-31AE-5FCE-0000-00106A092B00}6184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020074Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:14.914{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-31AE-5FCE-0000-00106A092B00}6184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020075Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:14.914{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020076Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:14.914{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020077Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:14.914{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020078Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:14.914{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020079Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:14.914{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-31AE-5FCE-0000-00106A092B00}6184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020055Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:13.587{7E7FFDA1-31AD-5FCE-0000-001004062B00}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020056Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:13.586{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-31AD-5FCE-0000-001004062B00}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020057Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:13.586{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-31AD-5FCE-0000-001004062B00}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020058Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:13.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020059Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:13.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020060Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:13.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020061Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:13.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020062Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:13.586{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-31AD-5FCE-0000-001004062B00}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020046Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:12.493{7E7FFDA1-31AC-5FCE-0000-00103E042B00}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020047Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:12.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-31AC-5FCE-0000-00103E042B00}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020048Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:12.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-31AC-5FCE-0000-00103E042B00}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020049Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020050Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020051Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020052Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020053Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:12.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-31AC-5FCE-0000-00103E042B00}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020054Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:12.633{7E7FFDA1-31AC-5FCE-0000-00103E042B00}68206676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020038Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:11.493{7E7FFDA1-31AB-5FCE-0000-001093022B00}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020039Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:11.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-31AB-5FCE-0000-001093022B00}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020040Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:11.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-31AB-5FCE-0000-001093022B00}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020041Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020042Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020043Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020044Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020045Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:11.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-31AB-5FCE-0000-001093022B00}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000020037Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localRDP2020-12-07 13:44:00.553{7E7FFDA1-18B1-5FCE-0000-0010BBB90000}1144C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse216.218.206.66scan-05.shadowserver.org35360false10.0.1.14win-dc-633.attackrange.local3389ms-wbt-server 354300x800000000000000020036Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localRDP2020-12-07 13:43:46.263{7E7FFDA1-18B1-5FCE-0000-0010BBB90000}1144C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse216.218.206.66scan-05.shadowserver.org59866false10.0.1.14win-dc-633.attackrange.local3389ms-wbt-server 10341000x800000000000000020007Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020008Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020009Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020010Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020011Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020012Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020013Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020014Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020015Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020016Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020017Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020018Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020019Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020020Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020021Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020022Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020023Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020024Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020025Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020026Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020027Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020028Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020029Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020030Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020031Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020032Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020033Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020034Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020035Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000020006Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:43:20.023{7E7FFDA1-18B1-5FCE-0000-001008C50000}1204C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6cc9e-0xec972ab9) 13241300x800000000000000020003Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:43:17.039{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A47110B2-D436-47F8-BEA1-61CCEBF6C04E\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_A47110B2-D436-47F8-BEA1-61CCEBF6C04E.XML 13241300x800000000000000020004Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:43:17.039{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A47110B2-D436-47F8-BEA1-61CCEBF6C04E\Config SourceDWORD (0x00000001) 13241300x800000000000000020005Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:43:17.054{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9D191D6C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9D191D6C-0000-0000-0000-100000000000.XML 154100x800000000000000019995Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:16.665{7E7FFDA1-3174-5FCE-0000-0010D8F12A00}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019996Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:16.664{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3174-5FCE-0000-0010D8F12A00}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019997Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:16.664{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3174-5FCE-0000-0010D8F12A00}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019998Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:16.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019999Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:16.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020000Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:16.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020001Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:16.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020002Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:16.664{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3174-5FCE-0000-0010D8F12A00}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019985Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:15.054{7E7FFDA1-3172-5FCE-0000-001017EE2A00}59006540C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019986Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:15.586{7E7FFDA1-3173-5FCE-0000-001015F02A00}6052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019987Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:15.586{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3173-5FCE-0000-001015F02A00}6052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019988Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:15.586{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3173-5FCE-0000-001015F02A00}6052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019989Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:15.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019990Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:15.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019991Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:15.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019992Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:15.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019993Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:15.586{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3173-5FCE-0000-001015F02A00}6052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019994Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:15.726{7E7FFDA1-3173-5FCE-0000-001015F02A00}60524264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019968Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:14.243{7E7FFDA1-3172-5FCE-0000-001058EC2A00}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019969Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:14.242{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3172-5FCE-0000-001058EC2A00}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019970Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:14.242{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3172-5FCE-0000-001058EC2A00}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019971Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:14.242{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019972Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:14.242{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019973Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:14.242{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019974Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:14.242{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019975Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:14.242{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3172-5FCE-0000-001058EC2A00}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019976Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:14.383{7E7FFDA1-3172-5FCE-0000-001058EC2A00}42566256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019977Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:14.915{7E7FFDA1-3172-5FCE-0000-001017EE2A00}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019978Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:14.914{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3172-5FCE-0000-001017EE2A00}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019979Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:14.914{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3172-5FCE-0000-001017EE2A00}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019980Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:14.914{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019981Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:14.914{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019982Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:14.914{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019983Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:14.914{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019984Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:14.914{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3172-5FCE-0000-001017EE2A00}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019960Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:13.571{7E7FFDA1-3171-5FCE-0000-00109FEA2A00}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019961Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:13.570{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3171-5FCE-0000-00109FEA2A00}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019962Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:13.570{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3171-5FCE-0000-00109FEA2A00}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019963Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:13.570{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019964Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:13.570{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019965Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:13.570{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019966Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:13.570{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019967Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:13.570{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3171-5FCE-0000-00109FEA2A00}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019951Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:12.493{7E7FFDA1-3170-5FCE-0000-0010CDE82A00}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019952Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:12.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3170-5FCE-0000-0010CDE82A00}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019953Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:12.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-3170-5FCE-0000-0010CDE82A00}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019954Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019955Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019956Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019957Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019958Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:12.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3170-5FCE-0000-0010CDE82A00}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019959Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:12.633{7E7FFDA1-3170-5FCE-0000-0010CDE82A00}47804000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019943Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:11.633{7E7FFDA1-316F-5FCE-0000-00101AE72A00}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019944Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:11.633{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-316F-5FCE-0000-00101AE72A00}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019945Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:11.633{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-316F-5FCE-0000-00101AE72A00}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019946Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:11.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019947Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:11.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019948Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:11.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019949Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:11.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019950Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:11.633{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-316F-5FCE-0000-00101AE72A00}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019935Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:16.665{7E7FFDA1-3138-5FCE-0000-001059CA2A00}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019936Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:16.665{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3138-5FCE-0000-001059CA2A00}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019937Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:16.665{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3138-5FCE-0000-001059CA2A00}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019938Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:16.665{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019939Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:16.665{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019940Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:16.665{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019941Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:16.665{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019942Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:16.665{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3138-5FCE-0000-001059CA2A00}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019926Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:15.431{7E7FFDA1-3137-5FCE-0000-00109BC82A00}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019927Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:15.430{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3137-5FCE-0000-00109BC82A00}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019928Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:15.430{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3137-5FCE-0000-00109BC82A00}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019929Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:15.430{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019930Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:15.430{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019931Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:15.430{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019932Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:15.430{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019933Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:15.430{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3137-5FCE-0000-00109BC82A00}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019934Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:15.571{7E7FFDA1-3137-5FCE-0000-00109BC82A00}59526168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019909Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:14.259{7E7FFDA1-3136-5FCE-0000-0010AFC42A00}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019910Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:14.258{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3136-5FCE-0000-0010AFC42A00}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019911Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:14.258{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-3136-5FCE-0000-0010AFC42A00}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019912Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:14.258{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019913Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:14.258{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019914Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:14.258{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019915Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:14.258{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019916Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:14.258{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3136-5FCE-0000-0010AFC42A00}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019917Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:14.760{7E7FFDA1-3136-5FCE-0000-00107BC62A00}5380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019918Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:14.758{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3136-5FCE-0000-00107BC62A00}5380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019919Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:14.758{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3136-5FCE-0000-00107BC62A00}5380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019920Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:14.758{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019921Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:14.758{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019922Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:14.758{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019923Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:14.758{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019924Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:14.758{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3136-5FCE-0000-00107BC62A00}5380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019925Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:14.899{7E7FFDA1-3136-5FCE-0000-00107BC62A00}53805700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019900Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:13.588{7E7FFDA1-3135-5FCE-0000-001023C32A00}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019901Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:13.587{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3135-5FCE-0000-001023C32A00}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019902Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:13.587{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3135-5FCE-0000-001023C32A00}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019903Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:13.587{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019904Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:13.587{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019905Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:13.587{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019906Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:13.587{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019907Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:13.587{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3135-5FCE-0000-001023C32A00}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019908Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:13.727{7E7FFDA1-3135-5FCE-0000-001023C32A00}46085276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019891Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:12.494{7E7FFDA1-3134-5FCE-0000-00105BC12A00}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019892Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:12.493{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3134-5FCE-0000-00105BC12A00}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019893Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:12.493{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3134-5FCE-0000-00105BC12A00}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019894Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019895Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019896Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019897Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019898Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:12.493{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3134-5FCE-0000-00105BC12A00}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019899Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:12.633{7E7FFDA1-3134-5FCE-0000-00105BC12A00}41486380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019883Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:11.619{7E7FFDA1-3133-5FCE-0000-0010A1BF2A00}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019884Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:11.618{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3133-5FCE-0000-0010A1BF2A00}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019885Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:11.618{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-3133-5FCE-0000-0010A1BF2A00}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019886Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:11.618{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019887Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:11.618{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019888Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:11.618{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019889Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:11.618{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019890Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:11.618{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3133-5FCE-0000-0010A1BF2A00}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019882Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:40.165{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}6121316C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-001002BA0000}1152C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019874Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:16.651{7E7FFDA1-30FC-5FCE-0000-0010ABB32A00}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019875Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:16.650{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-30FC-5FCE-0000-0010ABB32A00}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019876Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:16.650{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-30FC-5FCE-0000-0010ABB32A00}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019877Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:16.650{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019878Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:16.650{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019879Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:16.650{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019880Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:16.650{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019881Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:16.650{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-30FC-5FCE-0000-0010ABB32A00}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019856Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:15.041{7E7FFDA1-30FB-5FCE-0000-0010F1AF2A00}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019857Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:15.041{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-30FB-5FCE-0000-0010F1AF2A00}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019858Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:15.041{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-30FB-5FCE-0000-0010F1AF2A00}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019859Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:15.041{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019860Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:15.041{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019861Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:15.041{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019862Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:15.041{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019863Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:15.041{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-30FB-5FCE-0000-0010F1AF2A00}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019864Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:15.181{7E7FFDA1-30FB-5FCE-0000-0010F1AF2A00}69083980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019865Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:15.713{7E7FFDA1-30FB-5FCE-0000-0010EBB12A00}1556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019866Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:15.712{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-30FB-5FCE-0000-0010EBB12A00}1556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019867Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:15.712{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-30FB-5FCE-0000-0010EBB12A00}1556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019868Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:15.712{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019869Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:15.712{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019870Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:15.712{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019871Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:15.712{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019872Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:15.712{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-30FB-5FCE-0000-0010EBB12A00}1556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019873Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:15.853{7E7FFDA1-30FB-5FCE-0000-0010EBB12A00}15566560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019847Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:14.369{7E7FFDA1-30FA-5FCE-0000-001031AE2A00}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019848Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:14.369{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-30FA-5FCE-0000-001031AE2A00}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019849Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:14.369{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-30FA-5FCE-0000-001031AE2A00}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019850Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:14.369{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019851Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:14.369{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019852Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:14.369{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019853Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:14.369{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019854Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:14.369{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-30FA-5FCE-0000-001031AE2A00}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019855Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:14.509{7E7FFDA1-30FA-5FCE-0000-001031AE2A00}69965216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019839Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:13.744{7E7FFDA1-30F9-5FCE-0000-00106AAC2A00}2780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019840Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:13.744{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-30F9-5FCE-0000-00106AAC2A00}2780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019841Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:13.744{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-30F9-5FCE-0000-00106AAC2A00}2780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019842Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:13.744{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019843Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:13.744{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019844Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:13.744{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019845Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:13.744{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019846Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:13.744{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-30F9-5FCE-0000-00106AAC2A00}2780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019830Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:12.479{7E7FFDA1-30F8-5FCE-0000-00109EAA2A00}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019831Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:12.478{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-30F8-5FCE-0000-00109EAA2A00}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019832Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:12.478{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-30F8-5FCE-0000-00109EAA2A00}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019833Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:12.478{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019834Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:12.478{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019835Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:12.478{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019836Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:12.478{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019837Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:12.478{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-30F8-5FCE-0000-00109EAA2A00}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019838Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:12.619{7E7FFDA1-30F8-5FCE-0000-00109EAA2A00}65566232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019822Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:11.620{7E7FFDA1-30F7-5FCE-0000-0010F0A82A00}2180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019823Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:11.619{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-30F7-5FCE-0000-0010F0A82A00}2180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019824Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:11.619{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-30F7-5FCE-0000-0010F0A82A00}2180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019825Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:11.619{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019826Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:11.619{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019827Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:11.619{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019828Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:11.619{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019829Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:11.619{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-30F7-5FCE-0000-0010F0A82A00}2180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000019812Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:40:58.322{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6cca6-0xf9b0438a) 13241300x800000000000000019813Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:40:58.322{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6cc9e-0x97ebdb8a) 13241300x800000000000000019814Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:40:58.322{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6cc96-0x3627738a) 13241300x800000000000000019815Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:40:58.322{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x005ebc71) 13241300x800000000000000019816Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:40:58.322{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000019817Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:40:58.322{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6cca6-0xf9b0438a) 13241300x800000000000000019818Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:40:58.322{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6cc9e-0x97ebdb8a) 13241300x800000000000000019819Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:40:58.322{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6cc96-0x3627738a) 13241300x800000000000000019820Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:40:58.322{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x005ebc71) 13241300x800000000000000019821Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:40:58.322{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 10341000x800000000000000019811Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:39.291{7E7FFDA1-18AF-5FCE-0000-001027540000}8562468C:\Windows\system32\lsass.exe{7E7FFDA1-18AE-5FCE-0000-0010EB030000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000019808Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:37.354{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019809Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:37.354{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019810Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:37.354{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019800Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:16.636{7E7FFDA1-30C0-5FCE-0000-0010DB962A00}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019801Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:16.635{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-30C0-5FCE-0000-0010DB962A00}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019802Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:16.635{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-30C0-5FCE-0000-0010DB962A00}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019803Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:16.635{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019804Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:16.635{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019805Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:16.635{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019806Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:16.635{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019807Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:16.635{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-30C0-5FCE-0000-0010DB962A00}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019782Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:15.042{7E7FFDA1-30BF-5FCE-0000-001023932A00}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019783Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:15.041{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-30BF-5FCE-0000-001023932A00}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019784Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:15.041{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-30BF-5FCE-0000-001023932A00}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019785Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:15.041{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019786Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:15.041{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019787Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:15.041{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019788Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:15.041{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019789Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:15.041{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-30BF-5FCE-0000-001023932A00}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019790Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:15.182{7E7FFDA1-30BF-5FCE-0000-001023932A00}68206828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019791Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:15.714{7E7FFDA1-30BF-5FCE-0000-0010AF942A00}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019792Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:15.713{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-30BF-5FCE-0000-0010AF942A00}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019793Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:15.713{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-30BF-5FCE-0000-0010AF942A00}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019794Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:15.713{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019795Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:15.713{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019796Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:15.713{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019797Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:15.713{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019798Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:15.713{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-30BF-5FCE-0000-0010AF942A00}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019799Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:15.854{7E7FFDA1-30BF-5FCE-0000-0010AF942A00}61085484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019774Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:14.370{7E7FFDA1-30BE-5FCE-0000-001041912A00}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019775Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:14.370{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-30BE-5FCE-0000-001041912A00}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019776Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:14.370{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-30BE-5FCE-0000-001041912A00}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019777Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:14.370{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019778Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:14.370{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019779Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:14.370{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019780Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:14.370{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019781Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:14.370{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-30BE-5FCE-0000-001041912A00}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019765Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:13.745{7E7FFDA1-30BD-5FCE-0000-0010978F2A00}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019766Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:13.745{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-30BD-5FCE-0000-0010978F2A00}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019767Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:13.745{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-30BD-5FCE-0000-0010978F2A00}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019768Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:13.745{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019769Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:13.745{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019770Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:13.745{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019771Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:13.745{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019772Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:13.745{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-30BD-5FCE-0000-0010978F2A00}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019773Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:13.885{7E7FFDA1-30BD-5FCE-0000-0010978F2A00}26325628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019756Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:12.464{7E7FFDA1-30BC-5FCE-0000-0010CC8D2A00}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019757Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:12.463{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-30BC-5FCE-0000-0010CC8D2A00}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019758Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:12.463{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-30BC-5FCE-0000-0010CC8D2A00}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019759Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:12.463{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019760Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:12.463{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019761Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:12.463{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019762Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:12.463{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019763Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:12.463{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-30BC-5FCE-0000-0010CC8D2A00}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019764Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:12.604{7E7FFDA1-30BC-5FCE-0000-0010CC8D2A00}29566112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019748Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:11.620{7E7FFDA1-30BB-5FCE-0000-00101B8C2A00}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019749Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:11.620{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-30BB-5FCE-0000-00101B8C2A00}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019750Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:11.620{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-30BB-5FCE-0000-00101B8C2A00}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019751Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:11.620{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019752Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:11.620{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019753Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:11.620{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019754Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:11.620{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019755Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:11.620{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-30BB-5FCE-0000-00101B8C2A00}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019719Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:43.948{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019720Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:43.948{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019721Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:43.948{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019722Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:43.948{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019723Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:43.948{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019724Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:43.948{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019725Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:43.948{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019726Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:43.948{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019727Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:43.948{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019728Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:43.948{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019729Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:43.948{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019730Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:43.948{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019731Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:43.948{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019732Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:43.948{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019733Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:43.948{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019734Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:43.948{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019735Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:43.948{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019736Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:43.948{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019737Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:43.948{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019738Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:43.948{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019739Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:43.948{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019740Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:43.948{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019741Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:43.948{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019742Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:43.948{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019743Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:43.948{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019744Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:43.948{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019745Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:43.948{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019746Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:43.948{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019747Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:43.948{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019711Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:16.637{7E7FFDA1-3084-5FCE-0000-0010577F2A00}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019712Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:16.636{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3084-5FCE-0000-0010577F2A00}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019713Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:16.636{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3084-5FCE-0000-0010577F2A00}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019714Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:16.636{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019715Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:16.636{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019716Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:16.636{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019717Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:16.636{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019718Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:16.636{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3084-5FCE-0000-0010577F2A00}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019693Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:15.043{7E7FFDA1-3083-5FCE-0000-0010A37B2A00}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019694Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:15.042{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3083-5FCE-0000-0010A37B2A00}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019695Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:15.042{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3083-5FCE-0000-0010A37B2A00}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019696Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:15.042{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019697Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:15.042{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019698Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:15.042{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019699Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:15.042{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019700Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:15.042{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3083-5FCE-0000-0010A37B2A00}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019701Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:15.183{7E7FFDA1-3083-5FCE-0000-0010A37B2A00}10843712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019702Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:15.715{7E7FFDA1-3083-5FCE-0000-0010427D2A00}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019703Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:15.714{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3083-5FCE-0000-0010427D2A00}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019704Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:15.714{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3083-5FCE-0000-0010427D2A00}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019705Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:15.714{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019706Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:15.714{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019707Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:15.714{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019708Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:15.714{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019709Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:15.714{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3083-5FCE-0000-0010427D2A00}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019710Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:15.855{7E7FFDA1-3083-5FCE-0000-0010427D2A00}42406516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019684Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:14.371{7E7FFDA1-3082-5FCE-0000-0010D4792A00}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019685Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:14.370{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3082-5FCE-0000-0010D4792A00}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019686Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:14.370{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3082-5FCE-0000-0010D4792A00}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019687Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:14.370{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019688Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:14.370{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019689Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:14.370{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019690Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:14.370{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019691Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:14.370{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3082-5FCE-0000-0010D4792A00}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019692Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:14.511{7E7FFDA1-3082-5FCE-0000-0010D4792A00}49243308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019676Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:13.746{7E7FFDA1-3081-5FCE-0000-001036782A00}6236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019677Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:13.745{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3081-5FCE-0000-001036782A00}6236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019678Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:13.745{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3081-5FCE-0000-001036782A00}6236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019679Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:13.745{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019680Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:13.745{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019681Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:13.745{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019682Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:13.745{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019683Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:13.745{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3081-5FCE-0000-001036782A00}6236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019667Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:12.449{7E7FFDA1-3080-5FCE-0000-00104A762A00}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019668Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:12.449{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3080-5FCE-0000-00104A762A00}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019669Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:12.449{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3080-5FCE-0000-00104A762A00}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019670Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:12.449{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019671Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:12.449{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019672Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:12.449{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019673Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:12.449{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019674Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:12.449{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3080-5FCE-0000-00104A762A00}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019675Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:12.589{7E7FFDA1-3080-5FCE-0000-00104A762A00}64924856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019659Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:11.621{7E7FFDA1-307F-5FCE-0000-00109C742A00}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019660Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:11.620{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-307F-5FCE-0000-00109C742A00}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019661Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:11.620{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-307F-5FCE-0000-00109C742A00}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019662Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:11.620{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019663Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:11.620{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019664Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:11.620{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019665Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:11.620{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019666Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:39:11.620{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-307F-5FCE-0000-00109C742A00}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019648Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:16.622{7E7FFDA1-3048-5FCE-0000-0010C3662A00}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019649Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:16.621{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3048-5FCE-0000-0010C3662A00}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019650Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:16.621{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-3048-5FCE-0000-0010C3662A00}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019651Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:16.621{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019652Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:16.621{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019653Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:16.621{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019654Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:16.621{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019655Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:16.621{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3048-5FCE-0000-0010C3662A00}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000019656Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:38:16.684{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A47110B2-D436-47F8-BEA1-61CCEBF6C04E\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_A47110B2-D436-47F8-BEA1-61CCEBF6C04E.XML 13241300x800000000000000019657Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:38:16.684{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A47110B2-D436-47F8-BEA1-61CCEBF6C04E\Config SourceDWORD (0x00000001) 13241300x800000000000000019658Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:38:16.684{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9D191D6C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9D191D6C-0000-0000-0000-100000000000.XML 154100x800000000000000019630Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:15.044{7E7FFDA1-3047-5FCE-0000-001010632A00}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019631Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:15.043{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3047-5FCE-0000-001010632A00}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019632Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:15.043{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3047-5FCE-0000-001010632A00}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019633Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:15.043{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019634Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:15.043{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019635Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:15.043{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019636Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:15.043{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019637Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:15.043{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3047-5FCE-0000-001010632A00}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019638Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:15.184{7E7FFDA1-3047-5FCE-0000-001010632A00}52925276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019639Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:15.716{7E7FFDA1-3047-5FCE-0000-001098642A00}2108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019640Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:15.715{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3047-5FCE-0000-001098642A00}2108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019641Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:15.715{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3047-5FCE-0000-001098642A00}2108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019642Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:15.715{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019643Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:15.715{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019644Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:15.715{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019645Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:15.715{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019646Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:15.715{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3047-5FCE-0000-001098642A00}2108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019647Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:15.856{7E7FFDA1-3047-5FCE-0000-001098642A00}21085248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019622Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:14.372{7E7FFDA1-3046-5FCE-0000-00102E612A00}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019623Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:14.371{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3046-5FCE-0000-00102E612A00}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019624Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:14.371{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3046-5FCE-0000-00102E612A00}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019625Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:14.371{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019626Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:14.371{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019627Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:14.371{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019628Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:14.371{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019629Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:14.371{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3046-5FCE-0000-00102E612A00}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019613Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:13.747{7E7FFDA1-3045-5FCE-0000-0010995F2A00}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019614Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:13.746{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3045-5FCE-0000-0010995F2A00}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019615Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:13.746{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3045-5FCE-0000-0010995F2A00}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019616Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:13.746{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019617Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:13.746{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019618Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:13.746{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019619Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:13.746{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019620Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:13.746{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3045-5FCE-0000-0010995F2A00}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019621Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:13.887{7E7FFDA1-3045-5FCE-0000-0010995F2A00}45244384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019604Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:12.435{7E7FFDA1-3044-5FCE-0000-0010B55D2A00}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019605Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:12.434{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3044-5FCE-0000-0010B55D2A00}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019606Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:12.434{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3044-5FCE-0000-0010B55D2A00}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019607Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:12.434{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019608Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:12.434{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019609Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:12.434{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019610Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:12.434{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019611Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:12.434{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3044-5FCE-0000-0010B55D2A00}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019612Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:12.574{7E7FFDA1-3044-5FCE-0000-0010B55D2A00}5080172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019596Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:11.622{7E7FFDA1-3043-5FCE-0000-0010FE5B2A00}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019597Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:11.621{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3043-5FCE-0000-0010FE5B2A00}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019598Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:11.621{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3043-5FCE-0000-0010FE5B2A00}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019599Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:11.621{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019600Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:11.621{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019601Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:11.621{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019602Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:11.621{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019603Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:38:11.621{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3043-5FCE-0000-0010FE5B2A00}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019567Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:42.934{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019568Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:42.934{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019569Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:42.934{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019570Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:42.934{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019571Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:42.934{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019572Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:42.934{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019573Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:42.934{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019574Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:42.934{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019575Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:42.934{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019576Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:42.934{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019577Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:42.934{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019578Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:42.934{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019579Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:42.934{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019580Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:42.934{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019581Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:42.934{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019582Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:42.934{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019583Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:42.934{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019584Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:42.934{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019585Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:42.934{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019586Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:42.934{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019587Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:42.934{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019588Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:42.934{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019589Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:42.934{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019590Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:42.934{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019591Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:42.934{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019592Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:42.934{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019593Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:42.934{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019594Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:42.934{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019595Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:42.934{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019564Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:37.122{7E7FFDA1-18B1-5FCE-0000-001002BA0000}11526564C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019565Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:37.122{7E7FFDA1-18B1-5FCE-0000-001002BA0000}11526564C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000019566Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:37:37.544{7E7FFDA1-18B1-5FCE-0000-001008C50000}1204C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6cc9e-0x2074f1f8) 10341000x800000000000000019563Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:35.497{7E7FFDA1-18AF-5FCE-0000-001027540000}8562468C:\Windows\system32\lsass.exe{7E7FFDA1-18AE-5FCE-0000-0010EB030000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 154100x800000000000000019555Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:16.623{7E7FFDA1-300C-5FCE-0000-0010314E2A00}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019556Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:16.622{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-300C-5FCE-0000-0010314E2A00}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019557Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:16.622{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-300C-5FCE-0000-0010314E2A00}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019558Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:16.622{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019559Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:16.622{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019560Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:16.622{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019561Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:16.622{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019562Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:16.622{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-300C-5FCE-0000-0010314E2A00}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019545Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:15.122{7E7FFDA1-300A-5FCE-0000-00105D4A2A00}69806556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019546Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:15.654{7E7FFDA1-300B-5FCE-0000-0010654C2A00}2140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019547Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:15.653{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-300B-5FCE-0000-0010654C2A00}2140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019548Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:15.653{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-300B-5FCE-0000-0010654C2A00}2140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019549Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:15.653{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019550Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:15.653{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019551Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:15.653{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019552Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:15.653{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019553Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:15.653{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-300B-5FCE-0000-0010654C2A00}2140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019554Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:15.794{7E7FFDA1-300B-5FCE-0000-0010654C2A00}21402076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019528Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:14.373{7E7FFDA1-300A-5FCE-0000-0010A1482A00}2180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019529Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:14.372{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-300A-5FCE-0000-0010A1482A00}2180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019530Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:14.372{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-300A-5FCE-0000-0010A1482A00}2180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019531Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:14.372{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019532Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:14.372{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019533Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:14.372{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019534Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:14.372{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019535Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:14.372{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-300A-5FCE-0000-0010A1482A00}2180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019536Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:14.513{7E7FFDA1-300A-5FCE-0000-0010A1482A00}21802852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019537Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:14.983{7E7FFDA1-300A-5FCE-0000-00105D4A2A00}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019538Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:14.981{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-300A-5FCE-0000-00105D4A2A00}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019539Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:14.981{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-300A-5FCE-0000-00105D4A2A00}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019540Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:14.981{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019541Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:14.981{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019542Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:14.981{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019543Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:14.981{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019544Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:14.981{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-300A-5FCE-0000-00105D4A2A00}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019520Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:13.748{7E7FFDA1-3009-5FCE-0000-0010F7462A00}6924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019521Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:13.747{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3009-5FCE-0000-0010F7462A00}6924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019522Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:13.747{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3009-5FCE-0000-0010F7462A00}6924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019523Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:13.747{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019524Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:13.747{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019525Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:13.747{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019526Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:13.747{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019527Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:13.747{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3009-5FCE-0000-0010F7462A00}6924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019511Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:12.420{7E7FFDA1-3008-5FCE-0000-00100C452A00}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019512Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:12.419{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3008-5FCE-0000-00100C452A00}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019513Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:12.419{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3008-5FCE-0000-00100C452A00}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019514Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:12.419{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019515Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:12.419{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019516Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:12.419{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019517Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:12.419{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019518Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:12.419{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3008-5FCE-0000-00100C452A00}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019519Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:12.560{7E7FFDA1-3008-5FCE-0000-00100C452A00}15487056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019503Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:11.623{7E7FFDA1-3007-5FCE-0000-001072432A00}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019504Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:11.622{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3007-5FCE-0000-001072432A00}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019505Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:11.622{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3007-5FCE-0000-001072432A00}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019506Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:11.622{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019507Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:11.622{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019508Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:11.622{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019509Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:11.622{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019510Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:37:11.622{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3007-5FCE-0000-001072432A00}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019495Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:16.749{7E7FFDA1-2FD0-5FCE-0000-001095372A00}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019496Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:16.748{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2FD0-5FCE-0000-001095372A00}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019497Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:16.748{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2FD0-5FCE-0000-001095372A00}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019498Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:16.748{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019499Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:16.748{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019500Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:16.748{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019501Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:16.748{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019502Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:16.748{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2FD0-5FCE-0000-001095372A00}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019477Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:15.046{7E7FFDA1-2FCF-5FCE-0000-0010AD332A00}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019478Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:15.045{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2FCF-5FCE-0000-0010AD332A00}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019479Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:15.045{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-2FCF-5FCE-0000-0010AD332A00}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019480Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:15.045{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019481Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:15.045{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019482Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:15.045{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019483Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:15.045{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019484Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:15.045{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2FCF-5FCE-0000-0010AD332A00}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019485Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:15.185{7E7FFDA1-2FCF-5FCE-0000-0010AD332A00}29326084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019486Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:15.718{7E7FFDA1-2FCF-5FCE-0000-001056352A00}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019487Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:15.717{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2FCF-5FCE-0000-001056352A00}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019488Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:15.717{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-2FCF-5FCE-0000-001056352A00}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019489Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:15.717{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019490Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:15.717{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019491Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:15.717{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019492Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:15.717{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019493Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:15.717{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2FCF-5FCE-0000-001056352A00}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019494Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:15.857{7E7FFDA1-2FCF-5FCE-0000-001056352A00}58005576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019469Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:14.374{7E7FFDA1-2FCE-5FCE-0000-0010FF312A00}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019470Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:14.373{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2FCE-5FCE-0000-0010FF312A00}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019471Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:14.373{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2FCE-5FCE-0000-0010FF312A00}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019472Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:14.373{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019473Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:14.373{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019474Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:14.373{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019475Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:14.373{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019476Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:14.373{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2FCE-5FCE-0000-0010FF312A00}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019460Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:13.733{7E7FFDA1-2FCD-5FCE-0000-00104C302A00}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019461Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:13.732{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2FCD-5FCE-0000-00104C302A00}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019462Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:13.732{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-2FCD-5FCE-0000-00104C302A00}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019463Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:13.732{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019464Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:13.732{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019465Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:13.732{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019466Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:13.732{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019467Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:13.732{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2FCD-5FCE-0000-00104C302A00}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019468Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:13.873{7E7FFDA1-2FCD-5FCE-0000-00104C302A00}55647024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019451Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:12.405{7E7FFDA1-2FCC-5FCE-0000-00107F2E2A00}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019452Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:12.404{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2FCC-5FCE-0000-00107F2E2A00}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019453Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:12.404{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2FCC-5FCE-0000-00107F2E2A00}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019454Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:12.404{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019455Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:12.404{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019456Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:12.404{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019457Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:12.404{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019458Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:12.404{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2FCC-5FCE-0000-00107F2E2A00}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019459Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:12.545{7E7FFDA1-2FCC-5FCE-0000-00107F2E2A00}43446724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019443Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:11.624{7E7FFDA1-2FCB-5FCE-0000-0010D22C2A00}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019444Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:11.623{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2FCB-5FCE-0000-0010D22C2A00}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019445Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:11.623{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-2FCB-5FCE-0000-0010D22C2A00}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019446Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:11.623{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019447Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:11.623{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019448Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:11.623{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019449Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:11.623{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019450Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:36:11.623{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2FCB-5FCE-0000-0010D22C2A00}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000019433Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:35:58.311{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6cca6-0x46dd748a) 13241300x800000000000000019434Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:35:58.311{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6cc9d-0xe5190c8a) 13241300x800000000000000019435Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:35:58.311{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6cc95-0x8354a48a) 13241300x800000000000000019436Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:35:58.311{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x005a2881) 13241300x800000000000000019437Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:35:58.311{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000019438Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:35:58.311{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6cca6-0x46dd748a) 13241300x800000000000000019439Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:35:58.311{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6cc9d-0xe5190c8a) 13241300x800000000000000019440Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:35:58.311{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6cc95-0x8354a48a) 13241300x800000000000000019441Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:35:58.311{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x005a2881) 13241300x800000000000000019442Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:35:58.311{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 10341000x800000000000000019404Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:41.920{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019405Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:41.920{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019406Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:41.920{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019407Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:41.920{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019408Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:41.920{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019409Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:41.920{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019410Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:41.920{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019411Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:41.920{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019412Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:41.920{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019413Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:41.920{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019414Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:41.920{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019415Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:41.920{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019416Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:41.920{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019417Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:41.920{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019418Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:41.920{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019419Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:41.920{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019420Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:41.920{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019421Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:41.920{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019422Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:41.920{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019423Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:41.920{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019424Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:41.920{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019425Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:41.920{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019426Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:41.920{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019427Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:41.920{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019428Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:41.920{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019429Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:41.920{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019430Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:41.920{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019431Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:41.920{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019432Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:41.920{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019403Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:39.155{7E7FFDA1-18AF-5FCE-0000-001027540000}8562468C:\Windows\system32\lsass.exe{7E7FFDA1-18AE-5FCE-0000-0010EB030000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000019400Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:37.342{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019401Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:37.342{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019402Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:37.342{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000019399Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:35:29.686{7E7FFDA1-18B1-5FCE-0000-001008C50000}1204C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6cc9d-0xd43f73e4) 354300x800000000000000019398Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localRDP2020-12-07 13:35:17.184{7E7FFDA1-18B1-5FCE-0000-0010BBB90000}1144C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse220.191.173.22257584false10.0.1.14win-dc-633.attackrange.local3389ms-wbt-server 154100x800000000000000019390Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:16.750{7E7FFDA1-2F94-5FCE-0000-00107A1A2A00}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019391Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:16.749{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2F94-5FCE-0000-00107A1A2A00}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019392Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:16.749{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2F94-5FCE-0000-00107A1A2A00}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019393Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:16.749{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019394Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:16.749{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019395Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:16.749{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019396Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:16.749{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019397Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:16.749{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2F94-5FCE-0000-00107A1A2A00}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019372Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:15.047{7E7FFDA1-2F93-5FCE-0000-001042162A00}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019373Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:15.046{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2F93-5FCE-0000-001042162A00}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019374Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:15.046{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2F93-5FCE-0000-001042162A00}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019375Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:15.046{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019376Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:15.046{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019377Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:15.046{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019378Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:15.046{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019379Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:15.046{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2F93-5FCE-0000-001042162A00}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019380Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:15.186{7E7FFDA1-2F93-5FCE-0000-001042162A00}49441476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019381Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:15.718{7E7FFDA1-2F93-5FCE-0000-0010CC172A00}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019382Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:15.718{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2F93-5FCE-0000-0010CC172A00}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019383Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:15.718{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-2F93-5FCE-0000-0010CC172A00}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019384Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:15.718{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019385Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:15.718{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019386Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:15.718{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019387Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:15.718{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019388Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:15.718{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2F93-5FCE-0000-0010CC172A00}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019389Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:15.858{7E7FFDA1-2F93-5FCE-0000-0010CC172A00}19286480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019363Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:14.375{7E7FFDA1-2F92-5FCE-0000-001082142A00}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019364Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:14.374{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2F92-5FCE-0000-001082142A00}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019365Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:14.374{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-2F92-5FCE-0000-001082142A00}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019366Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:14.374{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019367Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:14.374{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019368Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:14.374{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019369Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:14.374{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019370Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:14.374{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2F92-5FCE-0000-001082142A00}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019371Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:14.514{7E7FFDA1-2F92-5FCE-0000-001082142A00}23722028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019355Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:13.734{7E7FFDA1-2F91-5FCE-0000-0010B8122A00}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019356Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:13.733{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2F91-5FCE-0000-0010B8122A00}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019357Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:13.733{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2F91-5FCE-0000-0010B8122A00}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019358Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:13.733{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019359Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:13.733{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019360Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:13.733{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019361Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:13.733{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019362Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:13.733{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2F91-5FCE-0000-0010B8122A00}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019346Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:12.391{7E7FFDA1-2F90-5FCE-0000-0010ED102A00}1456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019347Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:12.390{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2F90-5FCE-0000-0010ED102A00}1456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019348Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:12.390{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2F90-5FCE-0000-0010ED102A00}1456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019349Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:12.390{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019350Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:12.390{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019351Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:12.390{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019352Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:12.390{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019353Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:12.390{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2F90-5FCE-0000-0010ED102A00}1456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019354Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:12.546{7E7FFDA1-2F90-5FCE-0000-0010ED102A00}14562008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019338Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:11.625{7E7FFDA1-2F8F-5FCE-0000-0010380F2A00}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019339Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:11.624{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2F8F-5FCE-0000-0010380F2A00}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019340Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:11.624{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-2F8F-5FCE-0000-0010380F2A00}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019341Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:11.624{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019342Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:11.624{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019343Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:11.624{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019344Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:11.624{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019345Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:35:11.624{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2F8F-5FCE-0000-0010380F2A00}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019330Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:16.751{7E7FFDA1-2F58-5FCE-0000-001015002A00}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019331Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:16.750{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2F58-5FCE-0000-001015002A00}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019332Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:16.750{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2F58-5FCE-0000-001015002A00}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019333Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:16.750{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019334Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:16.750{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019335Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:16.750{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019336Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:16.750{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019337Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:16.750{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2F58-5FCE-0000-001015002A00}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019312Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:15.047{7E7FFDA1-2F57-5FCE-0000-001035FC2900}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019313Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:15.047{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2F57-5FCE-0000-001035FC2900}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019314Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:15.047{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-2F57-5FCE-0000-001035FC2900}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019315Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:15.047{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019316Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:15.047{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019317Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:15.047{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019318Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:15.047{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019319Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:15.047{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2F57-5FCE-0000-001035FC2900}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019320Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:15.187{7E7FFDA1-2F57-5FCE-0000-001035FC2900}2936172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019321Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:15.719{7E7FFDA1-2F57-5FCE-0000-0010E5FD2900}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019322Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:15.718{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2F57-5FCE-0000-0010E5FD2900}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019323Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:15.718{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2F57-5FCE-0000-0010E5FD2900}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019324Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:15.718{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019325Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:15.718{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019326Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:15.718{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019327Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:15.718{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019328Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:15.718{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2F57-5FCE-0000-0010E5FD2900}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019329Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:15.859{7E7FFDA1-2F57-5FCE-0000-0010E5FD2900}63764524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019304Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:14.375{7E7FFDA1-2F56-5FCE-0000-001066FA2900}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019305Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:14.375{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2F56-5FCE-0000-001066FA2900}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019306Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:14.375{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-2F56-5FCE-0000-001066FA2900}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019307Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:14.375{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019308Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:14.375{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019309Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:14.375{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019310Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:14.375{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019311Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:14.375{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2F56-5FCE-0000-001066FA2900}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019295Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:13.735{7E7FFDA1-2F55-5FCE-0000-0010D4F82900}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019296Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:13.734{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2F55-5FCE-0000-0010D4F82900}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019297Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:13.734{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2F55-5FCE-0000-0010D4F82900}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019298Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:13.734{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019299Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:13.734{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019300Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:13.734{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019301Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:13.734{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019302Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:13.734{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2F55-5FCE-0000-0010D4F82900}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019303Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:13.875{7E7FFDA1-2F55-5FCE-0000-0010D4F82900}69527016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019286Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:12.407{7E7FFDA1-2F54-5FCE-0000-0010E4F62900}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019287Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:12.406{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2F54-5FCE-0000-0010E4F62900}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019288Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:12.406{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-2F54-5FCE-0000-0010E4F62900}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019289Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:12.406{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019290Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:12.406{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019291Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:12.406{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019292Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:12.406{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019293Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:12.406{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2F54-5FCE-0000-0010E4F62900}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019294Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:12.547{7E7FFDA1-2F54-5FCE-0000-0010E4F62900}64765960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019278Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:11.626{7E7FFDA1-2F53-5FCE-0000-00102FF52900}1200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019279Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:11.625{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2F53-5FCE-0000-00102FF52900}1200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019280Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:11.625{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2F53-5FCE-0000-00102FF52900}1200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019281Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:11.625{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019282Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:11.625{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019283Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:11.625{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019284Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:11.625{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019285Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:34:11.625{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2F53-5FCE-0000-00102FF52900}1200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019249Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:40.906{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019250Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:40.906{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019251Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:40.906{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019252Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:40.906{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019253Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:40.906{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019254Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:40.906{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019255Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:40.906{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019256Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:40.906{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019257Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:40.906{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019258Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:40.906{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019259Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:40.906{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019260Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:40.906{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019261Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:40.906{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019262Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:40.906{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019263Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:40.906{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019264Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:40.906{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019265Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:40.906{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019266Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:40.906{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019267Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:40.906{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019268Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:40.906{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019269Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:40.906{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019270Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:40.906{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019271Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:40.906{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019272Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:40.906{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019273Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:40.906{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019274Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:40.906{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019275Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:40.906{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019276Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:40.906{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019277Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:40.906{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000019238Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:33:16.219{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A47110B2-D436-47F8-BEA1-61CCEBF6C04E\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_A47110B2-D436-47F8-BEA1-61CCEBF6C04E.XML 13241300x800000000000000019239Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:33:16.219{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A47110B2-D436-47F8-BEA1-61CCEBF6C04E\Config SourceDWORD (0x00000001) 13241300x800000000000000019240Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:33:16.219{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9D191D6C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9D191D6C-0000-0000-0000-100000000000.XML 154100x800000000000000019241Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:16.751{7E7FFDA1-2F1C-5FCE-0000-0010AAE82900}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019242Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:16.751{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2F1C-5FCE-0000-0010AAE82900}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019243Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:16.751{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-2F1C-5FCE-0000-0010AAE82900}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019244Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:16.751{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019245Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:16.751{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019246Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:16.751{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019247Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:16.751{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019248Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:16.751{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2F1C-5FCE-0000-0010AAE82900}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019220Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:15.048{7E7FFDA1-2F1B-5FCE-0000-001008E32900}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019221Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:15.047{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2F1B-5FCE-0000-001008E32900}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019222Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:15.047{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-2F1B-5FCE-0000-001008E32900}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019223Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:15.047{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019224Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:15.047{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019225Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:15.047{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019226Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:15.047{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019227Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:15.047{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2F1B-5FCE-0000-001008E32900}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019228Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:15.188{7E7FFDA1-2F1B-5FCE-0000-001008E32900}50566660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019229Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:15.720{7E7FFDA1-2F1B-5FCE-0000-00101FE52900}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019230Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:15.719{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2F1B-5FCE-0000-00101FE52900}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019231Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:15.719{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-2F1B-5FCE-0000-00101FE52900}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019232Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:15.719{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019233Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:15.719{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019234Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:15.719{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019235Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:15.719{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019236Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:15.719{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2F1B-5FCE-0000-00101FE52900}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019237Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:15.860{7E7FFDA1-2F1B-5FCE-0000-00101FE52900}52362180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019211Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:14.376{7E7FFDA1-2F1A-5FCE-0000-00104BE12900}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019212Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:14.376{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2F1A-5FCE-0000-00104BE12900}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019213Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:14.376{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-2F1A-5FCE-0000-00104BE12900}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019214Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:14.376{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019215Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:14.376{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019216Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:14.376{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019217Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:14.376{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019218Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:14.376{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2F1A-5FCE-0000-00104BE12900}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019219Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:14.516{7E7FFDA1-2F1A-5FCE-0000-00104BE12900}45802968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019203Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:13.720{7E7FFDA1-2F19-5FCE-0000-0010B0DF2900}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019204Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:13.719{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2F19-5FCE-0000-0010B0DF2900}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019205Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:13.719{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2F19-5FCE-0000-0010B0DF2900}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019206Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:13.719{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019207Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:13.719{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019208Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:13.719{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019209Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:13.719{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019210Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:13.719{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2F19-5FCE-0000-0010B0DF2900}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019194Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:12.392{7E7FFDA1-2F18-5FCE-0000-0010B2DD2900}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019195Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:12.391{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2F18-5FCE-0000-0010B2DD2900}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019196Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:12.391{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-2F18-5FCE-0000-0010B2DD2900}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019197Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:12.391{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019198Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:12.391{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019199Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:12.391{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019200Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:12.391{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019201Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:12.391{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2F18-5FCE-0000-0010B2DD2900}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019202Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:12.532{7E7FFDA1-2F18-5FCE-0000-0010B2DD2900}6888812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019186Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:11.611{7E7FFDA1-2F17-5FCE-0000-001029DC2900}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019187Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:11.610{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2F17-5FCE-0000-001029DC2900}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019188Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:11.610{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-2F17-5FCE-0000-001029DC2900}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019189Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:11.610{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019190Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:11.610{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019191Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:11.610{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019192Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:11.610{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019193Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:33:11.610{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2F17-5FCE-0000-001029DC2900}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019178Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:16.752{7E7FFDA1-2EE0-5FCE-0000-0010E0BF2900}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019179Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:16.751{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2EE0-5FCE-0000-0010E0BF2900}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019180Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:16.751{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-2EE0-5FCE-0000-0010E0BF2900}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019181Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:16.751{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019182Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:16.751{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019183Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:16.751{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019184Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:16.751{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019185Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:16.751{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2EE0-5FCE-0000-0010E0BF2900}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019160Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:15.049{7E7FFDA1-2EDF-5FCE-0000-001009BC2900}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019161Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:15.048{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2EDF-5FCE-0000-001009BC2900}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019162Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:15.048{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-2EDF-5FCE-0000-001009BC2900}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019163Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:15.048{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019164Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:15.048{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019165Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:15.048{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019166Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:15.048{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019167Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:15.048{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2EDF-5FCE-0000-001009BC2900}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019168Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:15.189{7E7FFDA1-2EDF-5FCE-0000-001009BC2900}55567024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019169Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:15.721{7E7FFDA1-2EDF-5FCE-0000-0010ADBD2900}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019170Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:15.720{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2EDF-5FCE-0000-0010ADBD2900}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019171Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:15.720{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2EDF-5FCE-0000-0010ADBD2900}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019172Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:15.720{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019173Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:15.720{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019174Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:15.720{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019175Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:15.720{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019176Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:15.720{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2EDF-5FCE-0000-0010ADBD2900}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019177Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:15.861{7E7FFDA1-2EDF-5FCE-0000-0010ADBD2900}25285260C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019152Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:14.377{7E7FFDA1-2EDE-5FCE-0000-001039BA2900}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019153Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:14.376{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2EDE-5FCE-0000-001039BA2900}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019154Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:14.376{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-2EDE-5FCE-0000-001039BA2900}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019155Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:14.376{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019156Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:14.376{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019157Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:14.376{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019158Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:14.376{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019159Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:14.376{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2EDE-5FCE-0000-001039BA2900}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019143Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:13.721{7E7FFDA1-2EDD-5FCE-0000-0010ADB82900}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019144Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:13.720{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2EDD-5FCE-0000-0010ADB82900}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019145Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:13.720{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-2EDD-5FCE-0000-0010ADB82900}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019146Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:13.720{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019147Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:13.720{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019148Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:13.720{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019149Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:13.720{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019150Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:13.720{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2EDD-5FCE-0000-0010ADB82900}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019151Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:13.861{7E7FFDA1-2EDD-5FCE-0000-0010ADB82900}26682236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019134Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:12.393{7E7FFDA1-2EDC-5FCE-0000-0010B7B62900}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019135Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:12.392{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2EDC-5FCE-0000-0010B7B62900}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019136Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:12.392{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2EDC-5FCE-0000-0010B7B62900}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019137Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:12.392{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019138Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:12.392{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019139Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:12.392{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019140Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:12.392{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019141Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:12.392{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2EDC-5FCE-0000-0010B7B62900}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019142Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:12.533{7E7FFDA1-2EDC-5FCE-0000-0010B7B62900}67006656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019126Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:11.596{7E7FFDA1-2EDB-5FCE-0000-00101CB52900}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019127Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:11.595{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2EDB-5FCE-0000-00101CB52900}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019128Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:11.595{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-2EDB-5FCE-0000-00101CB52900}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019129Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:11.595{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019130Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:11.595{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019131Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:11.595{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019132Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:11.595{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019133Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:32:11.595{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2EDB-5FCE-0000-00101CB52900}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019125Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:39.893{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}6126052C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-001002BA0000}1152C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019117Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:16.737{7E7FFDA1-2EA4-5FCE-0000-001005A92900}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019118Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:16.737{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2EA4-5FCE-0000-001005A92900}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019119Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:16.737{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-2EA4-5FCE-0000-001005A92900}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019120Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:16.737{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019121Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:16.737{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019122Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:16.737{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019123Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:16.737{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019124Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:16.737{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2EA4-5FCE-0000-001005A92900}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019099Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:15.050{7E7FFDA1-2EA3-5FCE-0000-00102CA52900}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019100Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:15.049{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2EA3-5FCE-0000-00102CA52900}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019101Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:15.049{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-2EA3-5FCE-0000-00102CA52900}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019102Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:15.049{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019103Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:15.049{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019104Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:15.049{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019105Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:15.049{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019106Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:15.049{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2EA3-5FCE-0000-00102CA52900}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019107Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:15.190{7E7FFDA1-2EA3-5FCE-0000-00102CA52900}53084944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019108Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:15.722{7E7FFDA1-2EA3-5FCE-0000-0010D2A62900}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019109Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:15.721{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2EA3-5FCE-0000-0010D2A62900}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019110Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:15.721{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2EA3-5FCE-0000-0010D2A62900}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019111Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:15.721{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019112Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:15.721{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019113Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:15.721{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019114Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:15.721{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019115Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:15.721{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2EA3-5FCE-0000-0010D2A62900}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019116Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:15.862{7E7FFDA1-2EA3-5FCE-0000-0010D2A62900}19282972C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019090Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:14.378{7E7FFDA1-2EA2-5FCE-0000-00106EA32900}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019091Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:14.377{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2EA2-5FCE-0000-00106EA32900}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019092Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:14.377{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-2EA2-5FCE-0000-00106EA32900}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019093Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:14.377{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019094Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:14.377{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019095Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:14.377{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019096Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:14.377{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019097Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:14.377{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2EA2-5FCE-0000-00106EA32900}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019098Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:14.518{7E7FFDA1-2EA2-5FCE-0000-00106EA32900}23721908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019082Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:13.722{7E7FFDA1-2EA1-5FCE-0000-001040A12900}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019083Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:13.721{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2EA1-5FCE-0000-001040A12900}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019084Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:13.721{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-2EA1-5FCE-0000-001040A12900}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019085Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:13.721{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019086Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:13.721{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019087Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:13.721{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019088Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:13.721{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019089Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:13.721{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2EA1-5FCE-0000-001040A12900}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019073Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:12.394{7E7FFDA1-2EA0-5FCE-0000-0010679F2900}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019074Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:12.393{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2EA0-5FCE-0000-0010679F2900}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019075Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:12.393{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-2EA0-5FCE-0000-0010679F2900}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019076Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:12.393{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019077Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:12.393{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019078Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:12.393{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019079Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:12.393{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019080Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:12.393{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2EA0-5FCE-0000-0010679F2900}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019081Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:12.534{7E7FFDA1-2EA0-5FCE-0000-0010679F2900}20082128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019065Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:11.581{7E7FFDA1-2E9F-5FCE-0000-0010BD9D2900}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019066Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:11.580{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2E9F-5FCE-0000-0010BD9D2900}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019067Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:11.580{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-2E9F-5FCE-0000-0010BD9D2900}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019068Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:11.580{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019069Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:11.580{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019070Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:11.580{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019071Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:11.580{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019072Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:31:11.580{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2E9F-5FCE-0000-0010BD9D2900}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000019055Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:30:58.299{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6cca5-0x940aa58a) 13241300x800000000000000019056Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:30:58.299{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6cc9d-0x32463d8a) 13241300x800000000000000019057Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:30:58.299{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6cc94-0xd081d58a) 13241300x800000000000000019058Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:30:58.299{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00559491) 13241300x800000000000000019059Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:30:58.299{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000019060Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:30:58.299{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6cca5-0x940aa58a) 13241300x800000000000000019061Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:30:58.299{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6cc9d-0x32463d8a) 13241300x800000000000000019062Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:30:58.299{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6cc94-0xd081d58a) 13241300x800000000000000019063Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:30:58.299{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00559491) 13241300x800000000000000019064Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:30:58.299{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 10341000x800000000000000019054Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:39.018{7E7FFDA1-18AF-5FCE-0000-001027540000}856896C:\Windows\system32\lsass.exe{7E7FFDA1-18AE-5FCE-0000-0010EB030000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000019051Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:37.331{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019052Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:37.331{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019053Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:37.331{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019043Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:16.723{7E7FFDA1-2E68-5FCE-0000-0010A68B2900}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019044Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:16.722{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2E68-5FCE-0000-0010A68B2900}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019045Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:16.722{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-2E68-5FCE-0000-0010A68B2900}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019046Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:16.722{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019047Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:16.722{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019048Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:16.722{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019049Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:16.722{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019050Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:16.722{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2E68-5FCE-0000-0010A68B2900}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019025Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:15.051{7E7FFDA1-2E67-5FCE-0000-0010C9872900}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019026Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:15.050{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2E67-5FCE-0000-0010C9872900}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019027Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:15.050{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-2E67-5FCE-0000-0010C9872900}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019028Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:15.050{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019029Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:15.050{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019030Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:15.050{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019031Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:15.050{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019032Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:15.050{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2E67-5FCE-0000-0010C9872900}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019033Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:15.191{7E7FFDA1-2E67-5FCE-0000-0010C9872900}51924900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019034Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:15.723{7E7FFDA1-2E67-5FCE-0000-00107B892900}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019035Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:15.722{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2E67-5FCE-0000-00107B892900}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019036Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:15.722{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-2E67-5FCE-0000-00107B892900}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019037Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:15.722{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019038Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:15.722{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019039Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:15.722{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019040Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:15.722{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019041Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:15.722{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2E67-5FCE-0000-00107B892900}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019042Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:15.863{7E7FFDA1-2E67-5FCE-0000-00107B892900}69206120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019017Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:14.379{7E7FFDA1-2E66-5FCE-0000-001011862900}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019018Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:14.378{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2E66-5FCE-0000-001011862900}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019019Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:14.378{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-2E66-5FCE-0000-001011862900}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019020Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:14.378{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019021Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:14.378{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019022Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:14.378{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019023Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:14.378{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019024Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:14.378{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2E66-5FCE-0000-001011862900}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019008Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:13.723{7E7FFDA1-2E65-5FCE-0000-001069842900}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019009Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:13.722{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2E65-5FCE-0000-001069842900}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019010Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:13.722{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-2E65-5FCE-0000-001069842900}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019011Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:13.722{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019012Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:13.722{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019013Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:13.722{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019014Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:13.722{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019015Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:13.722{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2E65-5FCE-0000-001069842900}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019016Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:13.863{7E7FFDA1-2E65-5FCE-0000-001069842900}42803008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018999Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:12.379{7E7FFDA1-2E64-5FCE-0000-001095822900}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019000Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:12.378{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2E64-5FCE-0000-001095822900}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019001Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:12.378{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2E64-5FCE-0000-001095822900}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019002Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:12.378{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019003Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:12.378{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019004Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:12.378{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019005Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:12.378{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019006Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:12.378{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2E64-5FCE-0000-001095822900}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019007Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:12.519{7E7FFDA1-2E64-5FCE-0000-001095822900}68124928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018991Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:11.567{7E7FFDA1-2E63-5FCE-0000-0010EE802900}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018992Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:11.566{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2E63-5FCE-0000-0010EE802900}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018993Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:11.566{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2E63-5FCE-0000-0010EE802900}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018994Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:11.566{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018995Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:11.566{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018996Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:11.566{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018997Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:11.566{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018998Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:11.566{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2E63-5FCE-0000-0010EE802900}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018962Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:03.691{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018963Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:03.691{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018964Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:03.691{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018965Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:03.691{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018966Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:03.691{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018967Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:03.691{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018968Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:03.691{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018969Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:03.691{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018970Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:03.691{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018971Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:03.691{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018972Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:03.691{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018973Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:03.691{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018974Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:03.691{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018975Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:03.691{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018976Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:03.691{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018977Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:03.691{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018978Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:03.691{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018979Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:03.691{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018980Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:03.691{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018981Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:03.691{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018982Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:03.691{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018983Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:03.691{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018984Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:03.691{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018985Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:03.691{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018986Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:03.691{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018987Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:03.691{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018988Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:03.691{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018989Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:03.691{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018990Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:30:03.691{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018954Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:16.708{7E7FFDA1-2E2C-5FCE-0000-00107B742900}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018955Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:16.707{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2E2C-5FCE-0000-00107B742900}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018956Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:16.707{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-2E2C-5FCE-0000-00107B742900}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018957Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:16.707{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018958Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:16.707{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018959Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:16.707{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018960Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:16.707{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018961Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:16.707{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2E2C-5FCE-0000-00107B742900}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018936Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:15.036{7E7FFDA1-2E2B-5FCE-0000-00109B702900}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018937Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:15.035{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2E2B-5FCE-0000-00109B702900}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018938Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:15.035{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-2E2B-5FCE-0000-00109B702900}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018939Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:15.035{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018940Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:15.035{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018941Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:15.035{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018942Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:15.035{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018943Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:15.035{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2E2B-5FCE-0000-00109B702900}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018944Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:15.176{7E7FFDA1-2E2B-5FCE-0000-00109B702900}43766740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018945Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:15.708{7E7FFDA1-2E2B-5FCE-0000-0010AE722900}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018946Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:15.707{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2E2B-5FCE-0000-0010AE722900}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018947Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:15.707{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-2E2B-5FCE-0000-0010AE722900}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018948Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:15.707{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018949Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:15.707{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018950Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:15.707{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018951Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:15.707{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018952Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:15.707{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2E2B-5FCE-0000-0010AE722900}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018953Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:15.847{7E7FFDA1-2E2B-5FCE-0000-0010AE722900}33925896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018927Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:14.364{7E7FFDA1-2E2A-5FCE-0000-0010DB6E2900}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018928Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:14.363{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2E2A-5FCE-0000-0010DB6E2900}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018929Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:14.363{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2E2A-5FCE-0000-0010DB6E2900}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018930Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:14.363{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018931Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:14.363{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018932Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:14.363{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018933Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:14.363{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018934Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:14.363{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2E2A-5FCE-0000-0010DB6E2900}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018935Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:14.504{7E7FFDA1-2E2A-5FCE-0000-0010DB6E2900}24326296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018919Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:13.708{7E7FFDA1-2E29-5FCE-0000-00103C6D2900}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018920Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:13.707{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2E29-5FCE-0000-00103C6D2900}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018921Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:13.707{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-2E29-5FCE-0000-00103C6D2900}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018922Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:13.707{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018923Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:13.707{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018924Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:13.707{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018925Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:13.707{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018926Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:13.707{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2E29-5FCE-0000-00103C6D2900}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018910Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:12.380{7E7FFDA1-2E28-5FCE-0000-00104A6B2900}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018911Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:12.379{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2E28-5FCE-0000-00104A6B2900}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018912Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:12.379{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2E28-5FCE-0000-00104A6B2900}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018913Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:12.379{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018914Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:12.379{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018915Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:12.379{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018916Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:12.379{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018917Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:12.379{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2E28-5FCE-0000-00104A6B2900}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018918Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:12.519{7E7FFDA1-2E28-5FCE-0000-00104A6B2900}65724360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018902Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:11.567{7E7FFDA1-2E27-5FCE-0000-00109F692900}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018903Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:11.566{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2E27-5FCE-0000-00109F692900}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018904Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:11.566{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2E27-5FCE-0000-00109F692900}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018905Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:11.566{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018906Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:11.566{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018907Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:11.566{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018908Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:11.566{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018909Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:29:11.566{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2E27-5FCE-0000-00109F692900}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018894Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:16.693{7E7FFDA1-2DF0-5FCE-0000-0010805C2900}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018895Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:16.692{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2DF0-5FCE-0000-0010805C2900}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018896Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:16.692{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-2DF0-5FCE-0000-0010805C2900}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018897Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:16.692{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018898Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:16.692{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018899Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:16.692{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018900Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:16.692{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018901Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:16.692{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2DF0-5FCE-0000-0010805C2900}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018881Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:15.067{7E7FFDA1-2DEE-5FCE-0000-0010A3562900}26686592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000018882Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:28:15.551{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A47110B2-D436-47F8-BEA1-61CCEBF6C04E\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_A47110B2-D436-47F8-BEA1-61CCEBF6C04E.XML 13241300x800000000000000018883Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:28:15.551{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A47110B2-D436-47F8-BEA1-61CCEBF6C04E\Config SourceDWORD (0x00000001) 13241300x800000000000000018884Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:28:15.551{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9D191D6C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9D191D6C-0000-0000-0000-100000000000.XML 154100x800000000000000018885Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:15.599{7E7FFDA1-2DEF-5FCE-0000-0010195A2900}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018886Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:15.598{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2DEF-5FCE-0000-0010195A2900}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018887Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:15.598{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-2DEF-5FCE-0000-0010195A2900}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018888Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:15.598{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018889Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:15.598{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018890Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:15.598{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018891Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:15.598{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018892Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:15.598{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2DEF-5FCE-0000-0010195A2900}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018893Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:15.739{7E7FFDA1-2DEF-5FCE-0000-0010195A2900}38403952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018865Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:14.349{7E7FFDA1-2DEE-5FCE-0000-0010D5542900}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018866Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:14.348{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2DEE-5FCE-0000-0010D5542900}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018867Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:14.348{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-2DEE-5FCE-0000-0010D5542900}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018868Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:14.348{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018869Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:14.348{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018870Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:14.348{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018871Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:14.348{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018872Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:14.348{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2DEE-5FCE-0000-0010D5542900}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018873Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:14.928{7E7FFDA1-2DEE-5FCE-0000-0010A3562900}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018874Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:14.926{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2DEE-5FCE-0000-0010A3562900}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018875Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:14.926{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2DEE-5FCE-0000-0010A3562900}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018876Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:14.926{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018877Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:14.926{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018878Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:14.926{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018879Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:14.926{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018880Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:14.926{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2DEE-5FCE-0000-0010A3562900}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018856Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:13.693{7E7FFDA1-2DED-5FCE-0000-001045532900}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018857Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:13.692{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2DED-5FCE-0000-001045532900}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018858Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:13.692{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2DED-5FCE-0000-001045532900}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018859Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:13.692{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018860Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:13.692{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018861Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:13.692{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018862Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:13.692{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018863Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:13.692{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2DED-5FCE-0000-001045532900}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018864Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:13.832{7E7FFDA1-2DED-5FCE-0000-001045532900}49565264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018847Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:12.364{7E7FFDA1-2DEC-5FCE-0000-001057512900}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018848Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:12.364{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2DEC-5FCE-0000-001057512900}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018849Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:12.364{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-2DEC-5FCE-0000-001057512900}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018850Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:12.364{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018851Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:12.364{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018852Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:12.364{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018853Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:12.364{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018854Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:12.364{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2DEC-5FCE-0000-001057512900}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018855Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:12.504{7E7FFDA1-2DEC-5FCE-0000-001057512900}59765948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018839Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:11.568{7E7FFDA1-2DEB-5FCE-0000-0010C84F2900}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018840Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:11.567{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2DEB-5FCE-0000-0010C84F2900}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018841Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:11.567{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-2DEB-5FCE-0000-0010C84F2900}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018842Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:11.567{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018843Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:11.567{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018844Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:11.567{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018845Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:11.567{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018846Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:11.567{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2DEB-5FCE-0000-0010C84F2900}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018810Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:02.676{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018811Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:02.676{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018812Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:02.676{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018813Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:02.676{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018814Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:02.676{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018815Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:02.676{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018816Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:02.676{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018817Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:02.676{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018818Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:02.676{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018819Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:02.676{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018820Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:02.676{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018821Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:02.676{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018822Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:02.676{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018823Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:02.676{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018824Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:02.676{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018825Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:02.676{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018826Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:02.676{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018827Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:02.676{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018828Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:02.676{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018829Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:02.676{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018830Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:02.676{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018831Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:02.676{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018832Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:02.676{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018833Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:02.676{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018834Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:02.676{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018835Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:02.676{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018836Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:02.676{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018837Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:02.676{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018838Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:28:02.676{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000018796Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:27:39.333{7E7FFDA1-18B1-5FCE-0000-00104CD50000}1368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\RegisteredSinceBootDWORD (0x00000001) 10341000x800000000000000018797Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:39.333{7E7FFDA1-18AF-5FCE-0000-001027540000}856424C:\Windows\system32\lsass.exe{7E7FFDA1-18B1-5FCE-0000-00104CD50000}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31375|C:\Windows\system32\lsasrv.dll+2f20b|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x800000000000000018798Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:27:39.333{7E7FFDA1-18B1-5FCE-0000-00104CD50000}1368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\Hostnamewin-dc-633 13241300x800000000000000018799Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:27:39.333{7E7FFDA1-18B1-5FCE-0000-00104CD50000}1368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\AdapterDomainName(Empty) 13241300x800000000000000018800Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:27:39.333{7E7FFDA1-18B1-5FCE-0000-00104CD50000}1368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\PrimaryDomainNameattackrange.local 13241300x800000000000000018801Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:27:39.333{7E7FFDA1-18B1-5FCE-0000-00104CD50000}1368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\HostAddrsBinary Data 13241300x800000000000000018802Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:27:39.333{7E7FFDA1-18B1-5FCE-0000-00104CD50000}1368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\DnsServersBinary Data 13241300x800000000000000018803Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:27:39.333{7E7FFDA1-18B1-5FCE-0000-00104CD50000}1368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\SentUpdateToIpBinary Data 13241300x800000000000000018804Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:27:39.333{7E7FFDA1-18B1-5FCE-0000-00104CD50000}1368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\SentPriUpdateToIpBinary Data 13241300x800000000000000018805Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:27:39.333{7E7FFDA1-18B1-5FCE-0000-00104CD50000}1368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\TtlDWORD (0x000004b0) 13241300x800000000000000018806Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:27:39.333{7E7FFDA1-18B1-5FCE-0000-00104CD50000}1368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\FlagsDWORD (0x00000002) 13241300x800000000000000018807Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:27:39.333{7E7FFDA1-18B1-5FCE-0000-00104CD50000}1368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\CompartmentIdDWORD (0x00000001) 13241300x800000000000000018808Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:27:39.333{7E7FFDA1-18B1-5FCE-0000-00104CD50000}1368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\StaleAdapterDWORD (0x00000000) 13241300x800000000000000018809Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:27:39.333{7E7FFDA1-18B1-5FCE-0000-00104CD50000}1368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\RegisteredSinceBootDWORD (0x00000001) 10341000x800000000000000018782Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:37.114{7E7FFDA1-18B1-5FCE-0000-001002BA0000}1152760C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018783Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:37.114{7E7FFDA1-18B1-5FCE-0000-001002BA0000}1152760C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000018784Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:27:37.301{7E7FFDA1-18B1-5FCE-0000-001014C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpInterfaceOptionsBinary Data 13241300x800000000000000018785Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:27:37.301{7E7FFDA1-18B1-5FCE-0000-001014C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpIPAddress10.0.1.14 13241300x800000000000000018786Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:27:37.301{7E7FFDA1-18B1-5FCE-0000-001014C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpSubnetMask255.255.255.0 13241300x800000000000000018787Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:27:37.301{7E7FFDA1-18B1-5FCE-0000-001014C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpServer10.0.1.1 13241300x800000000000000018788Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:27:37.301{7E7FFDA1-18B1-5FCE-0000-001014C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\LeaseDWORD (0x00000e10) 13241300x800000000000000018789Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:27:37.301{7E7FFDA1-18B1-5FCE-0000-001014C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\LeaseObtainedTimeDWORD (0x5fce2dc9) 13241300x800000000000000018790Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:27:37.301{7E7FFDA1-18B1-5FCE-0000-001014C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\T1DWORD (0x5fce34d1) 13241300x800000000000000018791Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:27:37.301{7E7FFDA1-18B1-5FCE-0000-001014C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\T2DWORD (0x5fce3a17) 13241300x800000000000000018792Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:27:37.301{7E7FFDA1-18B1-5FCE-0000-001014C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\LeaseTerminatesTimeDWORD (0x5fce3bd9) 13241300x800000000000000018793Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:27:37.301{7E7FFDA1-18B1-5FCE-0000-001014C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\AddressTypeDWORD (0x00000000) 13241300x800000000000000018794Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:27:37.301{7E7FFDA1-18B1-5FCE-0000-001014C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\IsServerNapAwareDWORD (0x00000000) 13241300x800000000000000018795Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:27:37.301{7E7FFDA1-18B1-5FCE-0000-001014C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 10341000x800000000000000018781Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:35.489{7E7FFDA1-18AF-5FCE-0000-001027540000}856424C:\Windows\system32\lsass.exe{7E7FFDA1-18AE-5FCE-0000-0010EB030000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 154100x800000000000000018773Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:16.803{7E7FFDA1-2DB4-5FCE-0000-00105C3C2900}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018774Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:16.802{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2DB4-5FCE-0000-00105C3C2900}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018775Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:16.802{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-2DB4-5FCE-0000-00105C3C2900}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018776Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:16.802{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018777Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:16.802{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018778Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:16.802{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018779Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:16.802{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018780Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:16.802{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2DB4-5FCE-0000-00105C3C2900}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018755Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:15.021{7E7FFDA1-2DB3-5FCE-0000-00107A382900}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018756Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:15.020{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2DB3-5FCE-0000-00107A382900}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018757Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:15.020{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2DB3-5FCE-0000-00107A382900}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018758Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:15.020{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018759Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:15.020{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018760Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:15.020{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018761Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:15.020{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018762Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:15.020{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2DB3-5FCE-0000-00107A382900}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018763Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:15.161{7E7FFDA1-2DB3-5FCE-0000-00107A382900}54162600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018764Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:15.693{7E7FFDA1-2DB3-5FCE-0000-0010333A2900}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018765Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:15.692{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2DB3-5FCE-0000-0010333A2900}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018766Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:15.692{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2DB3-5FCE-0000-0010333A2900}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018767Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:15.692{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018768Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:15.692{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018769Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:15.692{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018770Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:15.692{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018771Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:15.692{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2DB3-5FCE-0000-0010333A2900}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018772Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:15.833{7E7FFDA1-2DB3-5FCE-0000-0010333A2900}51682676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018746Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:14.349{7E7FFDA1-2DB2-5FCE-0000-0010D5362900}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018747Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:14.348{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2DB2-5FCE-0000-0010D5362900}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018748Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:14.348{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-2DB2-5FCE-0000-0010D5362900}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018749Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:14.348{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018750Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:14.348{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018751Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:14.348{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018752Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:14.348{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018753Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:14.348{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2DB2-5FCE-0000-0010D5362900}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018754Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:14.489{7E7FFDA1-2DB2-5FCE-0000-0010D5362900}29043984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018738Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:13.693{7E7FFDA1-2DB1-5FCE-0000-00101D352900}1416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018739Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:13.692{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2DB1-5FCE-0000-00101D352900}1416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018740Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:13.692{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-2DB1-5FCE-0000-00101D352900}1416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018741Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:13.692{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018742Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:13.692{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018743Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:13.692{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018744Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:13.692{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018745Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:13.692{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2DB1-5FCE-0000-00101D352900}1416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018729Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:12.365{7E7FFDA1-2DB0-5FCE-0000-001056332900}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018730Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:12.364{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2DB0-5FCE-0000-001056332900}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018731Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:12.364{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-2DB0-5FCE-0000-001056332900}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018732Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:12.364{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018733Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:12.364{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018734Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:12.364{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018735Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:12.364{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018736Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:12.364{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2DB0-5FCE-0000-001056332900}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018737Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:12.505{7E7FFDA1-2DB0-5FCE-0000-001056332900}14284324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018721Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:11.568{7E7FFDA1-2DAF-5FCE-0000-0010A5312900}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018722Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:11.567{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2DAF-5FCE-0000-0010A5312900}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018723Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:11.567{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2DAF-5FCE-0000-0010A5312900}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018724Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:11.567{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018725Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:11.567{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018726Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:11.567{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018727Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:11.567{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018728Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:27:11.567{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2DAF-5FCE-0000-0010A5312900}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018713Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:16.865{7E7FFDA1-2D78-5FCE-0000-0010C2252900}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018714Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:16.865{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2D78-5FCE-0000-0010C2252900}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018715Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:16.865{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-2D78-5FCE-0000-0010C2252900}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018716Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:16.865{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018717Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:16.865{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018718Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:16.865{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018719Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:16.865{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018720Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:16.865{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2D78-5FCE-0000-0010C2252900}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018695Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:15.022{7E7FFDA1-2D77-5FCE-0000-001008222900}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018696Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:15.021{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2D77-5FCE-0000-001008222900}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018697Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:15.021{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2D77-5FCE-0000-001008222900}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018698Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:15.021{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018699Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:15.021{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018700Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:15.021{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018701Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:15.021{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018702Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:15.021{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2D77-5FCE-0000-001008222900}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018703Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:15.161{7E7FFDA1-2D77-5FCE-0000-001008222900}54482500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018704Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:15.693{7E7FFDA1-2D77-5FCE-0000-001096232900}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018705Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:15.693{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2D77-5FCE-0000-001096232900}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018706Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:15.693{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2D77-5FCE-0000-001096232900}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018707Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:15.693{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018708Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:15.693{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018709Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:15.693{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018710Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:15.693{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018711Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:15.693{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2D77-5FCE-0000-001096232900}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018712Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:15.833{7E7FFDA1-2D77-5FCE-0000-001096232900}52205072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018687Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:14.350{7E7FFDA1-2D76-5FCE-0000-001032202900}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018688Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:14.349{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2D76-5FCE-0000-001032202900}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018689Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:14.349{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-2D76-5FCE-0000-001032202900}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018690Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:14.349{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018691Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:14.349{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018692Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:14.349{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018693Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:14.349{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018694Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:14.349{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2D76-5FCE-0000-001032202900}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018678Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:13.678{7E7FFDA1-2D75-5FCE-0000-0010881E2900}4788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018679Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:13.677{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2D75-5FCE-0000-0010881E2900}4788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018680Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:13.677{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-2D75-5FCE-0000-0010881E2900}4788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018681Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:13.677{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018682Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:13.677{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018683Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:13.677{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018684Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:13.677{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018685Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:13.677{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2D75-5FCE-0000-0010881E2900}4788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018686Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:13.818{7E7FFDA1-2D75-5FCE-0000-0010881E2900}47885424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018669Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:12.365{7E7FFDA1-2D74-5FCE-0000-0010C21C2900}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018670Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:12.365{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2D74-5FCE-0000-0010C21C2900}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018671Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:12.365{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-2D74-5FCE-0000-0010C21C2900}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018672Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:12.365{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018673Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:12.365{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018674Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:12.365{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018675Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:12.365{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018676Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:12.365{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2D74-5FCE-0000-0010C21C2900}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018677Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:12.505{7E7FFDA1-2D74-5FCE-0000-0010C21C2900}37962784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018661Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:11.553{7E7FFDA1-2D73-5FCE-0000-00100D1B2900}4592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018662Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:11.552{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2D73-5FCE-0000-00100D1B2900}4592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018663Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:11.552{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-2D73-5FCE-0000-00100D1B2900}4592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018664Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:11.552{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018665Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:11.552{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018666Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:11.552{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018667Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:11.552{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018668Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:11.552{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2D73-5FCE-0000-00100D1B2900}4592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018632Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:01.662{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018633Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:01.662{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018634Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:01.662{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018635Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:01.662{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018636Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:01.662{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018637Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:01.662{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018638Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:01.662{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018639Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:01.662{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018640Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:01.662{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018641Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:01.662{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018642Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:01.662{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018643Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:01.662{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018644Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:01.662{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018645Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:01.662{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018646Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:01.662{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018647Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:01.662{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018648Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:01.662{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018649Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:01.662{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018650Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:01.662{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018651Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:01.662{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018652Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:01.662{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018653Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:01.662{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018654Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:01.662{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018655Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:01.662{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018656Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:01.662{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018657Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:01.662{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018658Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:01.662{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018659Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:01.662{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018660Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:26:01.662{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000018622Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:25:58.287{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6cca4-0xe137fd9a) 13241300x800000000000000018623Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:25:58.287{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6cc9c-0x7f73959a) 13241300x800000000000000018624Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:25:58.287{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6cc94-0x1daf2d9a) 13241300x800000000000000018625Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:25:58.287{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x005100a2) 13241300x800000000000000018626Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:25:58.287{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000018627Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:25:58.287{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6cca4-0xe137fd9a) 13241300x800000000000000018628Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:25:58.287{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6cc9c-0x7f73959a) 13241300x800000000000000018629Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:25:58.287{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6cc94-0x1daf2d9a) 13241300x800000000000000018630Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:25:58.287{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x005100a2) 13241300x800000000000000018631Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:25:58.287{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 10341000x800000000000000018621Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:38.880{7E7FFDA1-18AF-5FCE-0000-001027540000}8562468C:\Windows\system32\lsass.exe{7E7FFDA1-18AE-5FCE-0000-0010EB030000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000018618Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:37.318{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018619Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:37.318{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018620Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:37.318{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018610Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:16.850{7E7FFDA1-2D3C-5FCE-0000-00104E092900}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018611Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:16.849{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2D3C-5FCE-0000-00104E092900}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018612Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:16.849{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-2D3C-5FCE-0000-00104E092900}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018613Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:16.849{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018614Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:16.849{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018615Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:16.849{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018616Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:16.849{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018617Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:16.849{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2D3C-5FCE-0000-00104E092900}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018592Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:15.022{7E7FFDA1-2D3B-5FCE-0000-00107A052900}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018593Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:15.021{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2D3B-5FCE-0000-00107A052900}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018594Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:15.021{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-2D3B-5FCE-0000-00107A052900}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018595Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:15.021{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018596Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:15.021{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018597Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:15.021{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018598Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:15.021{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018599Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:15.021{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2D3B-5FCE-0000-00107A052900}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018600Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:15.162{7E7FFDA1-2D3B-5FCE-0000-00107A052900}68964232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018601Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:15.694{7E7FFDA1-2D3B-5FCE-0000-001024072900}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018602Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:15.693{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2D3B-5FCE-0000-001024072900}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018603Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:15.693{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-2D3B-5FCE-0000-001024072900}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018604Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:15.693{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018605Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:15.693{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018606Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:15.693{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018607Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:15.693{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018608Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:15.693{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2D3B-5FCE-0000-001024072900}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018609Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:15.834{7E7FFDA1-2D3B-5FCE-0000-001024072900}43602572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018584Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:14.350{7E7FFDA1-2D3A-5FCE-0000-0010A6032900}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018585Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:14.349{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2D3A-5FCE-0000-0010A6032900}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018586Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:14.349{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-2D3A-5FCE-0000-0010A6032900}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018587Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:14.349{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018588Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:14.349{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018589Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:14.349{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018590Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:14.349{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018591Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:14.349{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2D3A-5FCE-0000-0010A6032900}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018575Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:13.678{7E7FFDA1-2D39-5FCE-0000-001018022900}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018576Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:13.678{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2D39-5FCE-0000-001018022900}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018577Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:13.678{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-2D39-5FCE-0000-001018022900}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018578Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:13.678{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018579Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:13.678{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018580Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:13.678{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018581Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:13.678{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018582Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:13.678{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2D39-5FCE-0000-001018022900}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018583Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:13.818{7E7FFDA1-2D39-5FCE-0000-001018022900}32123472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018566Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:12.366{7E7FFDA1-2D38-5FCE-0000-00102C002900}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018567Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:12.365{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2D38-5FCE-0000-00102C002900}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018568Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:12.365{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-2D38-5FCE-0000-00102C002900}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018569Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:12.365{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018570Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:12.365{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018571Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:12.365{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018572Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:12.365{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018573Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:12.365{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2D38-5FCE-0000-00102C002900}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018574Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:12.506{7E7FFDA1-2D38-5FCE-0000-00102C002900}71566824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018558Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:11.553{7E7FFDA1-2D37-5FCE-0000-001096FE2800}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018559Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:11.553{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2D37-5FCE-0000-001096FE2800}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018560Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:11.553{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2D37-5FCE-0000-001096FE2800}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018561Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:11.553{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018562Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:11.553{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018563Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:11.553{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018564Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:11.553{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018565Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:25:11.553{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2D37-5FCE-0000-001096FE2800}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018550Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:16.819{7E7FFDA1-2D00-5FCE-0000-00109FF22800}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018551Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:16.819{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2D00-5FCE-0000-00109FF22800}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018552Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:16.819{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-2D00-5FCE-0000-00109FF22800}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018553Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:16.819{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018554Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:16.819{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018555Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:16.819{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018556Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:16.819{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018557Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:16.819{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2D00-5FCE-0000-00109FF22800}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018540Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:15.116{7E7FFDA1-2CFE-5FCE-0000-0010C3EE2800}47405976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018541Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:15.648{7E7FFDA1-2CFF-5FCE-0000-00106BF02800}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018542Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:15.647{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2CFF-5FCE-0000-00106BF02800}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018543Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:15.647{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2CFF-5FCE-0000-00106BF02800}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018544Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:15.647{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018545Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:15.647{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018546Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:15.647{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018547Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:15.647{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018548Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:15.647{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2CFF-5FCE-0000-00106BF02800}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018549Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:15.787{7E7FFDA1-2CFF-5FCE-0000-00106BF02800}15723532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018524Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:14.335{7E7FFDA1-2CFE-5FCE-0000-0010F5EC2800}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018525Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:14.334{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2CFE-5FCE-0000-0010F5EC2800}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018526Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:14.334{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-2CFE-5FCE-0000-0010F5EC2800}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018527Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:14.334{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018528Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:14.334{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018529Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:14.334{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018530Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:14.334{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018531Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:14.334{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2CFE-5FCE-0000-0010F5EC2800}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018532Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:14.976{7E7FFDA1-2CFE-5FCE-0000-0010C3EE2800}4740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018533Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:14.975{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2CFE-5FCE-0000-0010C3EE2800}4740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018534Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:14.975{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2CFE-5FCE-0000-0010C3EE2800}4740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018535Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:14.975{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018536Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:14.975{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018537Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:14.975{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018538Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:14.975{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018539Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:14.975{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2CFE-5FCE-0000-0010C3EE2800}4740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018515Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:13.663{7E7FFDA1-2CFD-5FCE-0000-001069EB2800}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018516Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:13.662{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2CFD-5FCE-0000-001069EB2800}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018517Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:13.662{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-2CFD-5FCE-0000-001069EB2800}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018518Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:13.662{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018519Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:13.662{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018520Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:13.662{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018521Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:13.662{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018522Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:13.662{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2CFD-5FCE-0000-001069EB2800}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018523Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:13.803{7E7FFDA1-2CFD-5FCE-0000-001069EB2800}68723448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018506Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:12.335{7E7FFDA1-2CFC-5FCE-0000-00108CE92800}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018507Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:12.334{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2CFC-5FCE-0000-00108CE92800}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018508Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:12.334{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2CFC-5FCE-0000-00108CE92800}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018509Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:12.334{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018510Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:12.334{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018511Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:12.334{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018512Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:12.334{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018513Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:12.334{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2CFC-5FCE-0000-00108CE92800}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018514Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:12.475{7E7FFDA1-2CFC-5FCE-0000-00108CE92800}60606164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018498Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:11.538{7E7FFDA1-2CFB-5FCE-0000-0010E0E72800}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018499Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:11.537{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2CFB-5FCE-0000-0010E0E72800}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018500Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:11.537{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2CFB-5FCE-0000-0010E0E72800}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018501Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:11.537{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018502Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:11.537{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018503Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:11.537{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018504Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:11.537{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018505Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:11.537{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2CFB-5FCE-0000-0010E0E72800}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018469Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:00.647{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018470Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:00.647{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018471Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:00.647{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018472Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:00.647{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018473Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:00.647{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018474Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:00.647{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018475Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:00.647{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018476Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:00.647{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018477Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:00.647{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018478Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:00.647{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018479Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:00.647{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018480Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:00.647{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018481Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:00.647{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018482Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:00.647{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018483Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:00.647{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018484Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:00.647{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018485Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:00.647{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018486Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:00.647{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018487Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:00.647{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018488Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:00.647{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018489Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:00.647{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018490Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:00.647{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018491Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:00.647{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018492Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:00.647{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018493Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:00.647{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018494Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:00.647{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018495Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:00.647{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018496Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:00.647{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018497Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:24:00.647{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018461Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:16.804{7E7FFDA1-2CC4-5FCE-0000-00108FDB2800}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018462Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:16.803{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2CC4-5FCE-0000-00108FDB2800}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018463Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:16.803{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2CC4-5FCE-0000-00108FDB2800}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018464Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:16.803{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018465Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:16.803{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018466Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:16.803{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018467Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:16.803{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018468Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:16.803{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2CC4-5FCE-0000-00108FDB2800}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018448Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:15.022{7E7FFDA1-2CC2-5FCE-0000-0010ADD52800}57641136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000018449Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:23:15.132{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A47110B2-D436-47F8-BEA1-61CCEBF6C04E\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_A47110B2-D436-47F8-BEA1-61CCEBF6C04E.XML 13241300x800000000000000018450Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:23:15.132{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A47110B2-D436-47F8-BEA1-61CCEBF6C04E\Config SourceDWORD (0x00000001) 13241300x800000000000000018451Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:23:15.147{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9D191D6C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9D191D6C-0000-0000-0000-100000000000.XML 154100x800000000000000018452Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:15.554{7E7FFDA1-2CC3-5FCE-0000-001021D92800}1456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018453Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:15.554{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2CC3-5FCE-0000-001021D92800}1456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018454Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:15.554{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-2CC3-5FCE-0000-001021D92800}1456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018455Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:15.554{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018456Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:15.554{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018457Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:15.554{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018458Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:15.554{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018459Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:15.554{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2CC3-5FCE-0000-001021D92800}1456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018460Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:15.694{7E7FFDA1-2CC3-5FCE-0000-001021D92800}14561060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018432Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:14.336{7E7FFDA1-2CC2-5FCE-0000-0010F7D32800}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018433Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:14.335{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2CC2-5FCE-0000-0010F7D32800}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018434Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:14.335{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-2CC2-5FCE-0000-0010F7D32800}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018435Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:14.335{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018436Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:14.335{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018437Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:14.335{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018438Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:14.335{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018439Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:14.335{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2CC2-5FCE-0000-0010F7D32800}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018440Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:14.883{7E7FFDA1-2CC2-5FCE-0000-0010ADD52800}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018441Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:14.882{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2CC2-5FCE-0000-0010ADD52800}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018442Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:14.882{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-2CC2-5FCE-0000-0010ADD52800}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018443Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:14.882{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018444Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:14.882{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018445Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:14.882{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018446Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:14.882{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018447Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:14.882{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2CC2-5FCE-0000-0010ADD52800}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018423Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:13.664{7E7FFDA1-2CC1-5FCE-0000-001050D22800}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018424Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:13.663{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2CC1-5FCE-0000-001050D22800}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018425Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:13.663{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-2CC1-5FCE-0000-001050D22800}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018426Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:13.663{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018427Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:13.663{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018428Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:13.663{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018429Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:13.663{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018430Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:13.663{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2CC1-5FCE-0000-001050D22800}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018431Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:13.803{7E7FFDA1-2CC1-5FCE-0000-001050D22800}42126368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018414Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:12.445{7E7FFDA1-2CC0-5FCE-0000-001070D02800}7116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018415Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:12.444{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2CC0-5FCE-0000-001070D02800}7116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018416Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:12.444{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2CC0-5FCE-0000-001070D02800}7116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018417Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:12.444{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018418Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:12.444{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018419Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:12.444{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018420Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:12.444{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018421Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:12.444{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2CC0-5FCE-0000-001070D02800}7116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018422Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:12.585{7E7FFDA1-2CC0-5FCE-0000-001070D02800}71165356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018406Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:11.539{7E7FFDA1-2CBF-5FCE-0000-0010BBCE2800}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018407Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:11.538{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2CBF-5FCE-0000-0010BBCE2800}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018408Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:11.538{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-2CBF-5FCE-0000-0010BBCE2800}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018409Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:11.538{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018410Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:11.538{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018411Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:11.538{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018412Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:11.538{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018413Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:23:11.538{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2CBF-5FCE-0000-0010BBCE2800}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018398Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:16.867{7E7FFDA1-2C88-5FCE-0000-0010C9C22800}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018399Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:16.866{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2C88-5FCE-0000-0010C9C22800}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018400Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:16.866{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2C88-5FCE-0000-0010C9C22800}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018401Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:16.866{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018402Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:16.866{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018403Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:16.866{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018404Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:16.866{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018405Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:16.866{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2C88-5FCE-0000-0010C9C22800}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018388Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:15.070{7E7FFDA1-2C86-5FCE-0000-0010E9BE2800}28202500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018389Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:15.602{7E7FFDA1-2C87-5FCE-0000-001095C02800}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018390Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:15.601{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2C87-5FCE-0000-001095C02800}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018391Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:15.601{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-2C87-5FCE-0000-001095C02800}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018392Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:15.601{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018393Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:15.601{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018394Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:15.601{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018395Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:15.601{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018396Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:15.601{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2C87-5FCE-0000-001095C02800}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018397Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:15.757{7E7FFDA1-2C87-5FCE-0000-001095C02800}49606688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018371Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:14.320{7E7FFDA1-2C86-5FCE-0000-001046BD2800}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018372Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:14.320{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2C86-5FCE-0000-001046BD2800}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018373Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:14.320{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2C86-5FCE-0000-001046BD2800}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018374Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:14.320{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018375Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:14.320{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018376Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:14.320{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018377Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:14.320{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018378Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:14.320{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2C86-5FCE-0000-001046BD2800}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018379Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:14.460{7E7FFDA1-2C86-5FCE-0000-001046BD2800}47121608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018380Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:14.931{7E7FFDA1-2C86-5FCE-0000-0010E9BE2800}2820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018381Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:14.929{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2C86-5FCE-0000-0010E9BE2800}2820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018382Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:14.929{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-2C86-5FCE-0000-0010E9BE2800}2820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018383Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:14.929{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018384Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:14.929{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018385Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:14.929{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018386Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:14.929{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018387Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:14.929{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2C86-5FCE-0000-0010E9BE2800}2820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018363Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:13.649{7E7FFDA1-2C85-5FCE-0000-00108BBB2800}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018364Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:13.648{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2C85-5FCE-0000-00108BBB2800}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018365Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:13.648{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2C85-5FCE-0000-00108BBB2800}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018366Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:13.648{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018367Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:13.648{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018368Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:13.648{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018369Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:13.648{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018370Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:13.648{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2C85-5FCE-0000-00108BBB2800}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018354Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:12.430{7E7FFDA1-2C84-5FCE-0000-0010C3B92800}6564C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018355Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:12.429{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2C84-5FCE-0000-0010C3B92800}6564C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018356Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:12.429{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-2C84-5FCE-0000-0010C3B92800}6564C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018357Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:12.429{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018358Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:12.429{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018359Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:12.429{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018360Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:12.429{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018361Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:12.429{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2C84-5FCE-0000-0010C3B92800}6564C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018362Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:12.570{7E7FFDA1-2C84-5FCE-0000-0010C3B92800}65642784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018346Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:11.539{7E7FFDA1-2C83-5FCE-0000-00100EB82800}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018347Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:11.538{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2C83-5FCE-0000-00100EB82800}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018348Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:11.538{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-2C83-5FCE-0000-00100EB82800}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018349Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:11.538{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018350Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:11.538{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018351Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:11.538{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018352Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:11.538{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018353Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:22:11.538{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2C83-5FCE-0000-00100EB82800}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018345Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:39.632{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}6122084C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-001002BA0000}1152C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018337Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:16.868{7E7FFDA1-2C4C-5FCE-0000-0010BC9B2800}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018338Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:16.867{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2C4C-5FCE-0000-0010BC9B2800}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018339Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:16.867{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-2C4C-5FCE-0000-0010BC9B2800}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018340Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:16.867{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018341Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:16.867{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018342Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:16.867{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018343Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:16.867{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018344Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:16.867{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2C4C-5FCE-0000-0010BC9B2800}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018327Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:15.117{7E7FFDA1-2C4A-5FCE-0000-0010DA972800}59206904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018328Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:15.649{7E7FFDA1-2C4B-5FCE-0000-00108B992800}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018329Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:15.648{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2C4B-5FCE-0000-00108B992800}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018330Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:15.648{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2C4B-5FCE-0000-00108B992800}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018331Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:15.648{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018332Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:15.648{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018333Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:15.648{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018334Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:15.648{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018335Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:15.648{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2C4B-5FCE-0000-00108B992800}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018336Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:15.789{7E7FFDA1-2C4B-5FCE-0000-00108B992800}69565928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018310Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:14.305{7E7FFDA1-2C4A-5FCE-0000-001023962800}6840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018311Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:14.304{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2C4A-5FCE-0000-001023962800}6840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018312Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:14.304{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-2C4A-5FCE-0000-001023962800}6840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018313Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:14.304{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018314Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:14.304{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018315Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:14.304{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018316Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:14.304{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018317Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:14.304{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2C4A-5FCE-0000-001023962800}6840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018318Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:14.445{7E7FFDA1-2C4A-5FCE-0000-001023962800}68406616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018319Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:14.977{7E7FFDA1-2C4A-5FCE-0000-0010DA972800}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018320Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:14.976{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2C4A-5FCE-0000-0010DA972800}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018321Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:14.976{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-2C4A-5FCE-0000-0010DA972800}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018322Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:14.976{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018323Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:14.976{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018324Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:14.976{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018325Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:14.976{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018326Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:14.976{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2C4A-5FCE-0000-0010DA972800}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018302Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:13.634{7E7FFDA1-2C49-5FCE-0000-001080942800}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018303Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:13.633{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2C49-5FCE-0000-001080942800}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018304Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:13.633{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-2C49-5FCE-0000-001080942800}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018305Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:13.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018306Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:13.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018307Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:13.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018308Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:13.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018309Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:13.633{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2C49-5FCE-0000-001080942800}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018293Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:12.415{7E7FFDA1-2C48-5FCE-0000-001096922800}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018294Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:12.414{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2C48-5FCE-0000-001096922800}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018295Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:12.414{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-2C48-5FCE-0000-001096922800}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018296Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:12.414{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018297Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:12.414{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018298Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:12.414{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018299Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:12.414{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018300Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:12.414{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2C48-5FCE-0000-001096922800}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018301Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:12.554{7E7FFDA1-2C48-5FCE-0000-001096922800}67204596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000018279Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:21:10.992{7E7FFDA1-18B1-5FCE-0000-001044CB0000}1260C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NumNetworksDWORD (0x00000001) 13241300x800000000000000018280Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:21:10.992{7E7FFDA1-18B1-5FCE-0000-001044CB0000}1260C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NetworksBinary Data 13241300x800000000000000018281Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:21:10.992{7E7FFDA1-18B1-5FCE-0000-001044CB0000}1260C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\TimestampQWORD (0x01d6cc9b-0xd46d17c1) 13241300x800000000000000018282Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:21:10.992{7E7FFDA1-18B1-5FCE-0000-001044CB0000}1260C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\KeySizeDWORD (0x00000000) 13241300x800000000000000018283Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:21:10.992{7E7FFDA1-18B1-5FCE-0000-001044CB0000}1260C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueSizeDWORD (0x00000008) 13241300x800000000000000018284Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:21:10.992{7E7FFDA1-18B1-5FCE-0000-001044CB0000}1260C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueBinary Data 154100x800000000000000018285Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:11.524{7E7FFDA1-2C47-5FCE-0000-0010F1902800}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018286Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:11.523{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2C47-5FCE-0000-0010F1902800}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018287Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:11.523{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-2C47-5FCE-0000-0010F1902800}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018288Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:11.523{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018289Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:11.523{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018290Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:11.523{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018291Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:11.523{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018292Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:21:11.523{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2C47-5FCE-0000-0010F1902800}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000018269Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:20:58.273{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6cca4-0x2e679f9a) 13241300x800000000000000018270Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:20:58.273{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6cc9b-0xcca3379a) 13241300x800000000000000018271Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:20:58.273{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6cc93-0x6adecf9a) 13241300x800000000000000018272Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:20:58.273{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x004c6cc2) 13241300x800000000000000018273Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:20:58.273{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000018274Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:20:58.273{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6cca4-0x2e679f9a) 13241300x800000000000000018275Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:20:58.273{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6cc9b-0xcca3379a) 13241300x800000000000000018276Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:20:58.273{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6cc93-0x6adecf9a) 13241300x800000000000000018277Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:20:58.273{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x004c6cc2) 13241300x800000000000000018278Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:20:58.273{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 10341000x800000000000000018268Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:38.742{7E7FFDA1-18AF-5FCE-0000-001027540000}856896C:\Windows\system32\lsass.exe{7E7FFDA1-18AE-5FCE-0000-0010EB030000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000018265Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:37.305{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018266Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:37.305{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018267Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:37.305{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000018264Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:20:33.539{7E7FFDA1-18B1-5FCE-0000-001008C50000}1204C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6cc9b-0xbe1a42d1) 154100x800000000000000018256Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:16.868{7E7FFDA1-2C10-5FCE-0000-00103F7F2800}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018257Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:16.867{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2C10-5FCE-0000-00103F7F2800}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018258Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:16.867{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2C10-5FCE-0000-00103F7F2800}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018259Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:16.867{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018260Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:16.867{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018261Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:16.867{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018262Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:16.867{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018263Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:16.867{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2C10-5FCE-0000-00103F7F2800}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018246Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:15.039{7E7FFDA1-2C0E-5FCE-0000-00105E7B2800}47405492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018247Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:15.571{7E7FFDA1-2C0F-5FCE-0000-00100F7D2800}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018248Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:15.571{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2C0F-5FCE-0000-00100F7D2800}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018249Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:15.571{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-2C0F-5FCE-0000-00100F7D2800}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018250Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:15.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018251Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:15.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018252Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:15.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018253Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:15.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018254Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:15.571{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2C0F-5FCE-0000-00100F7D2800}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018255Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:15.711{7E7FFDA1-2C0F-5FCE-0000-00100F7D2800}15727072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018229Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:14.306{7E7FFDA1-2C0E-5FCE-0000-0010C1792800}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018230Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:14.305{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2C0E-5FCE-0000-0010C1792800}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018231Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:14.305{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-2C0E-5FCE-0000-0010C1792800}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018232Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:14.305{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018233Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:14.305{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018234Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:14.305{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018235Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:14.305{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018236Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:14.305{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2C0E-5FCE-0000-0010C1792800}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018237Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:14.446{7E7FFDA1-2C0E-5FCE-0000-0010C1792800}60723896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018238Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:14.900{7E7FFDA1-2C0E-5FCE-0000-00105E7B2800}4740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018239Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:14.899{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2C0E-5FCE-0000-00105E7B2800}4740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018240Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:14.899{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2C0E-5FCE-0000-00105E7B2800}4740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018241Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:14.899{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018242Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:14.899{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018243Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:14.899{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018244Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:14.899{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018245Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:14.899{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2C0E-5FCE-0000-00105E7B2800}4740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018221Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:13.634{7E7FFDA1-2C0D-5FCE-0000-0010F5772800}4964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018222Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:13.633{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2C0D-5FCE-0000-0010F5772800}4964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018223Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:13.633{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-2C0D-5FCE-0000-0010F5772800}4964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018224Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:13.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018225Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:13.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018226Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:13.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018227Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:13.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018228Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:13.633{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2C0D-5FCE-0000-0010F5772800}4964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018212Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:12.400{7E7FFDA1-2C0C-5FCE-0000-00101C762800}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018213Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:12.399{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2C0C-5FCE-0000-00101C762800}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018214Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:12.399{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2C0C-5FCE-0000-00101C762800}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018215Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:12.399{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018216Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:12.399{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018217Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:12.399{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018218Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:12.399{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018219Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:12.399{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2C0C-5FCE-0000-00101C762800}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018220Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:12.539{7E7FFDA1-2C0C-5FCE-0000-00101C762800}60601064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018204Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:11.509{7E7FFDA1-2C0B-5FCE-0000-001072742800}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018205Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:11.508{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2C0B-5FCE-0000-001072742800}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018206Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:11.508{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-2C0B-5FCE-0000-001072742800}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018207Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:11.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018208Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:11.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018209Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:11.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018210Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:11.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018211Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:11.508{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2C0B-5FCE-0000-001072742800}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018175Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:06.446{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018176Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:06.446{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018177Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:06.446{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018178Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:06.446{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018179Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:06.446{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018180Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:06.446{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018181Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:06.446{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018182Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:06.446{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018183Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:06.446{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018184Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:06.446{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018185Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:06.446{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018186Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:06.446{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018187Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:06.446{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018188Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:06.446{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018189Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:06.446{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018190Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:06.446{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018191Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:06.446{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018192Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:06.446{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018193Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:06.446{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018194Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:06.446{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018195Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:06.446{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018196Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:06.446{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018197Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:06.446{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018198Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:06.446{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018199Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:06.446{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018200Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:06.446{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018201Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:06.446{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018202Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:06.446{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018203Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:20:06.446{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018167Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:16.868{7E7FFDA1-2BD4-5FCE-0000-0010E6672800}4224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018168Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:16.868{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2BD4-5FCE-0000-0010E6672800}4224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018169Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:16.868{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-2BD4-5FCE-0000-0010E6672800}4224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018170Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:16.868{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018171Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:16.868{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018172Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:16.868{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018173Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:16.868{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018174Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:16.868{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2BD4-5FCE-0000-0010E6672800}4224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018158Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:15.509{7E7FFDA1-2BD3-5FCE-0000-0010AA652800}1456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018159Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:15.508{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2BD3-5FCE-0000-0010AA652800}1456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018160Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:15.508{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-2BD3-5FCE-0000-0010AA652800}1456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018161Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:15.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018162Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:15.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018163Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:15.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018164Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:15.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018165Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:15.508{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2BD3-5FCE-0000-0010AA652800}1456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018166Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:15.649{7E7FFDA1-2BD3-5FCE-0000-0010AA652800}14562008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018140Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:14.306{7E7FFDA1-2BD2-5FCE-0000-001065622800}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018141Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:14.305{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2BD2-5FCE-0000-001065622800}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018142Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:14.305{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-2BD2-5FCE-0000-001065622800}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018143Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:14.305{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018144Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:14.305{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018145Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:14.305{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018146Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:14.305{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018147Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:14.305{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2BD2-5FCE-0000-001065622800}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018148Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:14.446{7E7FFDA1-2BD2-5FCE-0000-001065622800}28166444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018149Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:14.838{7E7FFDA1-2BD2-5FCE-0000-001004642800}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018150Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:14.836{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2BD2-5FCE-0000-001004642800}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018151Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:14.836{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-2BD2-5FCE-0000-001004642800}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018152Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:14.836{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018153Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:14.836{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018154Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:14.836{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018155Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:14.836{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018156Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:14.836{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2BD2-5FCE-0000-001004642800}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018157Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:14.977{7E7FFDA1-2BD2-5FCE-0000-001004642800}26005764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018132Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:13.634{7E7FFDA1-2BD1-5FCE-0000-00109F602800}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018133Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:13.633{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2BD1-5FCE-0000-00109F602800}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018134Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:13.633{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2BD1-5FCE-0000-00109F602800}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018135Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:13.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018136Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:13.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018137Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:13.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018138Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:13.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018139Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:13.633{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2BD1-5FCE-0000-00109F602800}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018123Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:12.384{7E7FFDA1-2BD0-5FCE-0000-0010CE5E2800}5228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018124Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:12.383{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2BD0-5FCE-0000-0010CE5E2800}5228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018125Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:12.383{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2BD0-5FCE-0000-0010CE5E2800}5228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018126Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:12.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018127Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:12.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018128Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:12.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018129Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:12.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018130Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:12.383{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2BD0-5FCE-0000-0010CE5E2800}5228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018131Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:12.524{7E7FFDA1-2BD0-5FCE-0000-0010CE5E2800}52286728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018115Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:11.509{7E7FFDA1-2BCF-5FCE-0000-0010255D2800}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018116Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:11.508{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2BCF-5FCE-0000-0010255D2800}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018117Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:11.508{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-2BCF-5FCE-0000-0010255D2800}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018118Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:11.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018119Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:11.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018120Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:11.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018121Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:11.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018122Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:19:11.508{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2BCF-5FCE-0000-0010255D2800}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000018114Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:18:25.680{7E7FFDA1-18B1-5FCE-0000-001008C50000}1204C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6cc9b-0x71e48bbc) 154100x800000000000000018106Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:16.853{7E7FFDA1-2B98-5FCE-0000-00102D512800}1200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018107Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:16.852{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2B98-5FCE-0000-00102D512800}1200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018108Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:16.852{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-2B98-5FCE-0000-00102D512800}1200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018109Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:16.852{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018110Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:16.852{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018111Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:16.852{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018112Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:16.852{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018113Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:16.852{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2B98-5FCE-0000-00102D512800}1200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018096Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:15.118{7E7FFDA1-2B96-5FCE-0000-00101A4D2800}68125232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018097Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:15.650{7E7FFDA1-2B97-5FCE-0000-0010E54E2800}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018098Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:15.649{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2B97-5FCE-0000-0010E54E2800}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018099Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:15.649{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-2B97-5FCE-0000-0010E54E2800}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018100Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:15.649{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018101Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:15.649{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018102Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:15.649{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018103Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:15.649{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018104Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:15.649{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2B97-5FCE-0000-0010E54E2800}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018105Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:15.790{7E7FFDA1-2B97-5FCE-0000-0010E54E2800}39604960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018077Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:14.306{7E7FFDA1-2B96-5FCE-0000-001086492800}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018078Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:14.305{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2B96-5FCE-0000-001086492800}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018079Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:14.305{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-2B96-5FCE-0000-001086492800}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018080Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:14.305{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018081Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:14.305{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018082Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:14.305{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018083Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:14.305{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018084Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:14.305{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2B96-5FCE-0000-001086492800}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000018085Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:18:14.368{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A47110B2-D436-47F8-BEA1-61CCEBF6C04E\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_A47110B2-D436-47F8-BEA1-61CCEBF6C04E.XML 13241300x800000000000000018086Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:18:14.368{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A47110B2-D436-47F8-BEA1-61CCEBF6C04E\Config SourceDWORD (0x00000001) 13241300x800000000000000018087Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:18:14.383{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9D191D6C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9D191D6C-0000-0000-0000-100000000000.XML 154100x800000000000000018088Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:14.978{7E7FFDA1-2B96-5FCE-0000-00101A4D2800}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018089Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:14.977{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2B96-5FCE-0000-00101A4D2800}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018090Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:14.977{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-2B96-5FCE-0000-00101A4D2800}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018091Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:14.977{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018092Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:14.977{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018093Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:14.977{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018094Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:14.977{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018095Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:14.977{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2B96-5FCE-0000-00101A4D2800}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018068Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:13.634{7E7FFDA1-2B95-5FCE-0000-0010D5472800}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018069Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:13.633{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2B95-5FCE-0000-0010D5472800}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018070Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:13.633{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-2B95-5FCE-0000-0010D5472800}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018071Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:13.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018072Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:13.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018073Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:13.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018074Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:13.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018075Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:13.633{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2B95-5FCE-0000-0010D5472800}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018076Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:13.774{7E7FFDA1-2B95-5FCE-0000-0010D5472800}50965868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018059Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:12.384{7E7FFDA1-2B94-5FCE-0000-001012462800}5580C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018060Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:12.383{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2B94-5FCE-0000-001012462800}5580C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018061Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:12.383{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2B94-5FCE-0000-001012462800}5580C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018062Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:12.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018063Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:12.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018064Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:12.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018065Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:12.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018066Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:12.383{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2B94-5FCE-0000-001012462800}5580C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018067Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:12.524{7E7FFDA1-2B94-5FCE-0000-001012462800}55807124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018051Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:11.665{7E7FFDA1-2B93-5FCE-0000-00105A442800}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018052Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:11.665{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2B93-5FCE-0000-00105A442800}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018053Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:11.665{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2B93-5FCE-0000-00105A442800}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018054Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:11.665{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018055Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:11.665{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018056Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:11.665{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018057Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:11.665{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018058Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:11.665{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2B93-5FCE-0000-00105A442800}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018022Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:05.430{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018023Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:05.430{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018024Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:05.430{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018025Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:05.430{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018026Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:05.430{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018027Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:05.430{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018028Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:05.430{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018029Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:05.430{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018030Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:05.430{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018031Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:05.430{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018032Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:05.430{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018033Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:05.430{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018034Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:05.430{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018035Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:05.430{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018036Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:05.430{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018037Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:05.430{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018038Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:05.430{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018039Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:05.430{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018040Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:05.430{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018041Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:05.430{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018042Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:05.430{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018043Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:05.430{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018044Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:05.430{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018045Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:05.430{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018046Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:05.430{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018047Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:05.430{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018048Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:05.430{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018049Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:05.430{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018050Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:18:05.430{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018021Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:45.430{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}6122084C:\Windows\system32\svchost.exe{7E7FFDA1-1963-5FCE-0000-0010982E0800}4320C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018019Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:37.118{7E7FFDA1-18B1-5FCE-0000-001002BA0000}11522064C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018020Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:37.118{7E7FFDA1-18B1-5FCE-0000-001002BA0000}11522064C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018018Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:35.477{7E7FFDA1-18AF-5FCE-0000-001027540000}856896C:\Windows\system32\lsass.exe{7E7FFDA1-18AE-5FCE-0000-0010EB030000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 154100x800000000000000018010Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:16.837{7E7FFDA1-2B5C-5FCE-0000-001090362800}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018011Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:16.837{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2B5C-5FCE-0000-001090362800}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018012Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:16.837{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2B5C-5FCE-0000-001090362800}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018013Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:16.837{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018014Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:16.837{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018015Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:16.837{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018016Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:16.837{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018017Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:16.837{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2B5C-5FCE-0000-001090362800}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018000Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:15.102{7E7FFDA1-2B5A-5FCE-0000-0010B5322800}44006824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018001Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:15.634{7E7FFDA1-2B5B-5FCE-0000-00105F342800}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018002Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:15.633{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2B5B-5FCE-0000-00105F342800}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018003Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:15.633{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-2B5B-5FCE-0000-00105F342800}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018004Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:15.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018005Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:15.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018006Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:15.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018007Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:15.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018008Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:15.633{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2B5B-5FCE-0000-00105F342800}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018009Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:15.774{7E7FFDA1-2B5B-5FCE-0000-00105F342800}68926264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017984Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:14.291{7E7FFDA1-2B5A-5FCE-0000-0010E9302800}808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017985Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:14.290{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2B5A-5FCE-0000-0010E9302800}808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017986Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:14.290{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-2B5A-5FCE-0000-0010E9302800}808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017987Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:14.290{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017988Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:14.290{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017989Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:14.290{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017990Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:14.290{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017991Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:14.290{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2B5A-5FCE-0000-0010E9302800}808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017992Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:14.962{7E7FFDA1-2B5A-5FCE-0000-0010B5322800}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017993Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:14.962{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2B5A-5FCE-0000-0010B5322800}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017994Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:14.962{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-2B5A-5FCE-0000-0010B5322800}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017995Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:14.962{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017996Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:14.962{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017997Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:14.962{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017998Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:14.962{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017999Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:14.962{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2B5A-5FCE-0000-0010B5322800}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017975Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:13.619{7E7FFDA1-2B59-5FCE-0000-00105D2F2800}6184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017976Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:13.618{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2B59-5FCE-0000-00105D2F2800}6184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017977Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:13.618{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-2B59-5FCE-0000-00105D2F2800}6184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017978Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:13.618{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017979Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:13.618{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017980Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:13.618{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017981Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:13.618{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017982Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:13.618{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2B59-5FCE-0000-00105D2F2800}6184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017983Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:13.759{7E7FFDA1-2B59-5FCE-0000-00105D2F2800}61841616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017966Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:12.369{7E7FFDA1-2B58-5FCE-0000-0010862D2800}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017967Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:12.368{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2B58-5FCE-0000-0010862D2800}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017968Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:12.368{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-2B58-5FCE-0000-0010862D2800}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017969Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:12.368{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017970Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:12.368{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017971Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:12.368{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017972Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:12.368{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017973Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:12.368{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2B58-5FCE-0000-0010862D2800}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017974Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:12.508{7E7FFDA1-2B58-5FCE-0000-0010862D2800}53643900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017958Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:11.666{7E7FFDA1-2B57-5FCE-0000-0010D52B2800}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017959Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:11.665{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2B57-5FCE-0000-0010D52B2800}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017960Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:11.665{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-2B57-5FCE-0000-0010D52B2800}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017961Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:11.665{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017962Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:11.665{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017963Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:11.665{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017964Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:11.665{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017965Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:17:11.665{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2B57-5FCE-0000-0010D52B2800}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017950Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:16.838{7E7FFDA1-2B20-5FCE-0000-0010401F2800}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017951Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:16.837{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2B20-5FCE-0000-0010401F2800}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017952Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:16.837{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2B20-5FCE-0000-0010401F2800}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017953Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:16.837{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017954Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:16.837{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017955Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:16.837{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017956Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:16.837{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017957Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:16.837{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2B20-5FCE-0000-0010401F2800}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017941Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:15.478{7E7FFDA1-2B1F-5FCE-0000-0010111D2800}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017942Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:15.477{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2B1F-5FCE-0000-0010111D2800}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017943Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:15.477{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-2B1F-5FCE-0000-0010111D2800}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017944Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:15.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017945Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:15.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017946Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:15.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017947Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:15.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017948Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:15.477{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2B1F-5FCE-0000-0010111D2800}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017949Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:15.618{7E7FFDA1-2B1F-5FCE-0000-0010111D2800}59486040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017924Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:14.275{7E7FFDA1-2B1E-5FCE-0000-0010A8192800}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017925Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:14.274{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2B1E-5FCE-0000-0010A8192800}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017926Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:14.274{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-2B1E-5FCE-0000-0010A8192800}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017927Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:14.274{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017928Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:14.274{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017929Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:14.274{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017930Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:14.274{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017931Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:14.274{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2B1E-5FCE-0000-0010A8192800}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017932Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:14.807{7E7FFDA1-2B1E-5FCE-0000-00105E1B2800}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017933Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:14.805{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2B1E-5FCE-0000-00105E1B2800}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017934Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:14.805{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-2B1E-5FCE-0000-00105E1B2800}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017935Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:14.805{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017936Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:14.805{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017937Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:14.805{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017938Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:14.805{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017939Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:14.805{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2B1E-5FCE-0000-00105E1B2800}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017940Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:14.946{7E7FFDA1-2B1E-5FCE-0000-00105E1B2800}68725476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017915Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:13.603{7E7FFDA1-2B1D-5FCE-0000-001001182800}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017916Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:13.602{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2B1D-5FCE-0000-001001182800}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017917Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:13.602{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2B1D-5FCE-0000-001001182800}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017918Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:13.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017919Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:13.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017920Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:13.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017921Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:13.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017922Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:13.602{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2B1D-5FCE-0000-001001182800}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017923Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:13.743{7E7FFDA1-2B1D-5FCE-0000-001001182800}60606164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017906Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:12.369{7E7FFDA1-2B1C-5FCE-0000-001034162800}6540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017907Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:12.368{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2B1C-5FCE-0000-001034162800}6540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017908Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:12.368{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-2B1C-5FCE-0000-001034162800}6540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017909Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:12.368{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017910Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:12.368{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017911Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:12.368{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017912Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:12.368{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017913Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:12.368{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2B1C-5FCE-0000-001034162800}6540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017914Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:12.509{7E7FFDA1-2B1C-5FCE-0000-001034162800}65405040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017898Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:11.666{7E7FFDA1-2B1B-5FCE-0000-001085142800}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017899Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:11.665{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2B1B-5FCE-0000-001085142800}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017900Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:11.665{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-2B1B-5FCE-0000-001085142800}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017901Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:11.665{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017902Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:11.665{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017903Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:11.665{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017904Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:11.665{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017905Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:16:11.665{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2B1B-5FCE-0000-001085142800}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017896Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:59.790{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}6122084C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-001002BA0000}1152C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017897Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:59.790{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}6122084C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-001008C50000}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000017886Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:15:58.259{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6cca3-0x7b94d09a) 13241300x800000000000000017887Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:15:58.259{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6cc9b-0x19d0689a) 13241300x800000000000000017888Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:15:58.259{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6cc92-0xb80c009a) 13241300x800000000000000017889Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:15:58.259{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0047d8d2) 13241300x800000000000000017890Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:15:58.259{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000017891Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:15:58.259{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6cca3-0x7b94d09a) 13241300x800000000000000017892Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:15:58.259{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6cc9b-0x19d0689a) 13241300x800000000000000017893Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:15:58.259{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6cc92-0xb80c009a) 13241300x800000000000000017894Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:15:58.259{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0047d8d2) 13241300x800000000000000017895Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:15:58.259{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 10341000x800000000000000017857Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:41.384{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017858Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:41.384{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017859Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:41.384{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017860Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:41.384{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017861Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:41.384{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017862Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:41.384{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017863Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:41.384{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017864Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:41.384{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017865Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:41.384{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017866Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:41.384{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017867Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:41.384{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017868Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:41.384{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017869Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:41.384{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017870Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:41.384{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017871Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:41.384{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017872Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:41.384{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017873Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:41.384{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017874Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:41.384{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017875Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:41.384{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017876Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:41.384{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017877Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:41.384{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017878Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:41.384{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017879Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:41.384{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017880Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:41.384{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017881Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:41.384{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017882Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:41.384{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017883Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:41.384{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017884Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:41.384{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017885Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:41.384{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017856Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:38.602{7E7FFDA1-18AF-5FCE-0000-001027540000}856896C:\Windows\system32\lsass.exe{7E7FFDA1-18AE-5FCE-0000-0010EB030000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000017853Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:37.290{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017854Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:37.290{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017855Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:37.290{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017845Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:16.994{7E7FFDA1-2AE4-5FCE-0000-001062022800}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017846Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:16.993{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2AE4-5FCE-0000-001062022800}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017847Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:16.993{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-2AE4-5FCE-0000-001062022800}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017848Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:16.993{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017849Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:16.993{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017850Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:16.993{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017851Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:16.993{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017852Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:16.993{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2AE4-5FCE-0000-001062022800}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017836Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:15.494{7E7FFDA1-2AE3-5FCE-0000-001018002800}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017837Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:15.493{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2AE3-5FCE-0000-001018002800}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017838Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:15.493{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-2AE3-5FCE-0000-001018002800}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017839Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:15.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017840Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:15.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017841Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:15.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017842Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:15.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017843Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:15.493{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2AE3-5FCE-0000-001018002800}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017844Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:15.634{7E7FFDA1-2AE3-5FCE-0000-001018002800}55441132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017819Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:14.275{7E7FFDA1-2AE2-5FCE-0000-0010AFFC2700}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017820Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:14.274{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2AE2-5FCE-0000-0010AFFC2700}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017821Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:14.274{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2AE2-5FCE-0000-0010AFFC2700}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017822Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:14.274{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017823Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:14.274{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017824Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:14.274{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017825Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:14.274{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017826Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:14.274{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2AE2-5FCE-0000-0010AFFC2700}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017827Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:14.823{7E7FFDA1-2AE2-5FCE-0000-001065FE2700}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017570Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:11:39.353{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}6122084C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-001002BA0000}1152C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017577Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:11:48.009{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017576Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:11:48.009{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017575Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:11:48.009{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017574Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:11:48.009{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017573Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:11:48.009{7E7FFDA1-1961-5FCE-0000-00103C120700}30166276C:\Windows\system32\csrss.exe{7E7FFDA1-2A14-5FCE-0000-001049962700}1948C:\Windows\System32\Wbem\scrcons.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017572Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:11:48.009{7E7FFDA1-19DB-5FCE-0000-00104C680F00}66286800C:\Windows\System32\cmd.exe{7E7FFDA1-2A14-5FCE-0000-001049962700}1948C:\Windows\System32\Wbem\scrcons.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\cmd.exe+f1e1|C:\Windows\System32\cmd.exe+11a37|C:\Windows\System32\cmd.exe+cb0d|C:\Windows\System32\cmd.exe+c295|C:\Windows\System32\cmd.exe+1ace3|C:\Windows\System32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017571Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:11:48.015{7E7FFDA1-2A14-5FCE-0000-001049962700}1948C:\Windows\System32\wbem\scrcons.exe10.0.14393.0 (rs1_release.160715-1616)WMI Standard Event Consumer - scriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationScrConsscrcons.exeC:\Windows\system32\ATTACKRANGE\Administrator{7E7FFDA1-1963-5FCE-0000-00202AED0700}0x7ed2a2HighMD5=0E7BCB183DB07DDE6CA7C7D598E66194,SHA256=7154B0624717DFE981520581E31AD7E53F3D77BA9EDCEED88BE397AA5E4E9B19,IMPHASH=68EDF5B5E1487BC2F7B0BE8EAD7EB2FB{7E7FFDA1-19DB-5FCE-0000-00104C680F00}6628C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" 13241300x800000000000000017578Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:12:01.525{7E7FFDA1-18B1-5FCE-0000-001008C50000}1204C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6cc9a-0x8ceb0927) 10341000x800000000000000017586Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:11.634{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2A2B-5FCE-0000-0010ACAC2700}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017585Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:11.634{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017584Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:11.634{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017583Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:11.634{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017582Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:11.634{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017581Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:11.634{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-2A2B-5FCE-0000-0010ACAC2700}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017580Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:11.634{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2A2B-5FCE-0000-0010ACAC2700}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017579Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:11.635{7E7FFDA1-2A2B-5FCE-0000-0010ACAC2700}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017595Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:12.509{7E7FFDA1-2A2C-5FCE-0000-00104FAE2700}71365480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017594Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:12.368{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2A2C-5FCE-0000-00104FAE2700}7136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017593Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:12.368{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017592Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:12.368{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017591Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:12.368{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017590Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:12.368{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017589Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:12.368{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-2A2C-5FCE-0000-00104FAE2700}7136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017588Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:12.368{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2A2C-5FCE-0000-00104FAE2700}7136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017587Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:12.369{7E7FFDA1-2A2C-5FCE-0000-00104FAE2700}7136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017603Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:13.571{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2A2D-5FCE-0000-00101BB02700}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017602Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:13.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017601Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:13.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017600Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:13.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017599Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:13.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017598Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:13.571{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-2A2D-5FCE-0000-00101BB02700}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017597Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:13.571{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2A2D-5FCE-0000-00101BB02700}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017596Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:13.572{7E7FFDA1-2A2D-5FCE-0000-00101BB02700}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017620Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:14.868{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2A2E-5FCE-0000-001084B32700}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017619Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:14.868{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017618Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:14.868{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017617Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:14.868{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017616Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:14.868{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017615Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:14.868{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-2A2E-5FCE-0000-001084B32700}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017614Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:14.868{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2A2E-5FCE-0000-001084B32700}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017613Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:14.870{7E7FFDA1-2A2E-5FCE-0000-001084B32700}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017612Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:14.384{7E7FFDA1-2A2E-5FCE-0000-0010DBB12700}44806540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017611Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:14.243{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2A2E-5FCE-0000-0010DBB12700}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017610Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:14.243{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017609Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:14.243{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017608Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:14.243{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017607Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:14.243{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017606Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:14.243{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-2A2E-5FCE-0000-0010DBB12700}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017605Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:14.243{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2A2E-5FCE-0000-0010DBB12700}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017604Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:14.244{7E7FFDA1-2A2E-5FCE-0000-0010DBB12700}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017630Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:15.681{7E7FFDA1-2A2F-5FCE-0000-001028B52700}61561116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017629Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:15.540{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2A2F-5FCE-0000-001028B52700}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017628Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:15.540{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017627Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:15.540{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017626Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:15.540{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017625Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:15.540{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017624Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:15.540{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-2A2F-5FCE-0000-001028B52700}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017623Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:15.540{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2A2F-5FCE-0000-001028B52700}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017622Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:15.541{7E7FFDA1-2A2F-5FCE-0000-001028B52700}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017621Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:15.009{7E7FFDA1-2A2E-5FCE-0000-001084B32700}51362160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017638Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:16.993{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2A30-5FCE-0000-001072B72700}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017637Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:16.993{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017636Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:16.993{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017635Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:16.993{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017634Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:16.993{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017633Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:16.993{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-2A30-5FCE-0000-001072B72700}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017632Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:16.993{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2A30-5FCE-0000-001072B72700}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017631Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:12:16.994{7E7FFDA1-2A30-5FCE-0000-001072B72700}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017646Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:11.634{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2A67-5FCE-0000-0010EFC32700}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017645Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:11.634{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017644Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:11.634{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017643Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:11.634{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017642Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:11.634{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017641Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:11.634{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-2A67-5FCE-0000-0010EFC32700}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017640Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:11.634{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2A67-5FCE-0000-0010EFC32700}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017639Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:11.635{7E7FFDA1-2A67-5FCE-0000-0010EFC32700}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017655Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:12.509{7E7FFDA1-2A68-5FCE-0000-0010A2C52700}58047140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017654Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:12.368{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2A68-5FCE-0000-0010A2C52700}5804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017653Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:12.368{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017652Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:12.368{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017651Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:12.368{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017650Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:12.368{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017649Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:12.368{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-2A68-5FCE-0000-0010A2C52700}5804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017648Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:12.368{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2A68-5FCE-0000-0010A2C52700}5804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017647Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:12.369{7E7FFDA1-2A68-5FCE-0000-0010A2C52700}5804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x800000000000000017666Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:13:13.774{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9D191D6C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9D191D6C-0000-0000-0000-100000000000.XML 13241300x800000000000000017665Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:13:13.759{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A47110B2-D436-47F8-BEA1-61CCEBF6C04E\Config SourceDWORD (0x00000001) 13241300x800000000000000017664Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:13:13.759{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A47110B2-D436-47F8-BEA1-61CCEBF6C04E\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_A47110B2-D436-47F8-BEA1-61CCEBF6C04E.XML 10341000x800000000000000017663Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:13.587{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2A69-5FCE-0000-00106BC72700}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017662Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:13.587{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017661Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:13.587{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017660Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:13.587{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017659Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:13.587{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017658Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:13.587{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-2A69-5FCE-0000-00106BC72700}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017657Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:13.587{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2A69-5FCE-0000-00106BC72700}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017656Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:13.588{7E7FFDA1-2A69-5FCE-0000-00106BC72700}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017684Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:14.946{7E7FFDA1-2A6A-5FCE-0000-0010D0CC2700}69127156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017683Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:14.806{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2A6A-5FCE-0000-0010D0CC2700}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017682Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:14.806{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017681Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:14.806{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017680Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:14.806{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017679Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:14.806{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017678Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:14.806{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-2A6A-5FCE-0000-0010D0CC2700}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017677Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:14.806{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2A6A-5FCE-0000-0010D0CC2700}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017676Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:14.807{7E7FFDA1-2A6A-5FCE-0000-0010D0CC2700}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017675Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:14.400{7E7FFDA1-2A6A-5FCE-0000-0010F4CA2700}66326212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017674Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:14.259{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2A6A-5FCE-0000-0010F4CA2700}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017673Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:14.259{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017672Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:14.259{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017671Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:14.259{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017670Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:14.259{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017669Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:14.259{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-2A6A-5FCE-0000-0010F4CA2700}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017668Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:14.259{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2A6A-5FCE-0000-0010F4CA2700}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017667Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:14.260{7E7FFDA1-2A6A-5FCE-0000-0010F4CA2700}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017693Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:15.618{7E7FFDA1-2A6B-5FCE-0000-00107CCE2700}44006960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017692Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:15.478{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2A6B-5FCE-0000-00107CCE2700}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017691Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:15.478{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017690Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:15.478{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017689Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:15.478{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017688Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:15.478{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017687Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:15.478{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2A6B-5FCE-0000-00107CCE2700}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017686Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:15.478{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2A6B-5FCE-0000-00107CCE2700}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017685Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:15.478{7E7FFDA1-2A6B-5FCE-0000-00107CCE2700}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017701Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:16.993{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2A6C-5FCE-0000-0010AED02700}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017700Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:16.993{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017699Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:16.993{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017698Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:16.993{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017697Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:16.993{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017696Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:16.993{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2A6C-5FCE-0000-0010AED02700}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017695Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:16.993{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2A6C-5FCE-0000-0010AED02700}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017694Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:16.994{7E7FFDA1-2A6C-5FCE-0000-0010AED02700}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017732Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:40.368{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017731Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:40.368{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017730Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:40.368{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017729Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:40.368{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017728Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:40.368{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017727Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:40.368{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017726Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:40.368{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017725Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:40.368{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017724Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:40.368{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017723Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:40.368{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017722Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:40.368{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017721Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:40.368{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017720Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:40.368{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017719Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:40.368{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017718Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:40.368{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017717Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:40.368{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017716Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:40.368{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017715Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:40.368{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017714Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:40.368{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017713Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:40.368{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017712Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:40.368{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017711Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:40.368{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-001008C50000}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017710Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:40.368{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-001008C50000}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017709Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:40.368{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017708Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:40.368{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017707Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:40.368{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017706Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:40.368{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017705Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:40.368{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017704Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:40.368{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017703Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:40.368{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017702Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:13:40.368{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017740Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:11.649{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2AA3-5FCE-0000-0010EFE02700}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017739Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:11.649{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017738Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:11.649{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017737Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:11.649{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017736Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:11.649{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017735Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:11.649{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-2AA3-5FCE-0000-0010EFE02700}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017734Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:11.649{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2AA3-5FCE-0000-0010EFE02700}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017733Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:11.650{7E7FFDA1-2AA3-5FCE-0000-0010EFE02700}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017749Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:12.509{7E7FFDA1-2AA4-5FCE-0000-00107CE22700}58125788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017748Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:12.368{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2AA4-5FCE-0000-00107CE22700}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017747Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:12.368{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017746Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:12.368{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017745Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:12.368{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017744Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:12.368{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017743Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:12.368{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-2AA4-5FCE-0000-00107CE22700}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017742Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:12.368{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2AA4-5FCE-0000-00107CE22700}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017741Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:12.369{7E7FFDA1-2AA4-5FCE-0000-00107CE22700}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017757Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:13.587{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2AA5-5FCE-0000-001048E42700}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017756Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:13.587{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017755Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:13.587{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017754Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:13.587{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017753Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:13.587{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017752Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:13.587{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-2AA5-5FCE-0000-001048E42700}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017751Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:13.587{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2AA5-5FCE-0000-001048E42700}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017750Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:13.588{7E7FFDA1-2AA5-5FCE-0000-001048E42700}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017774Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:14.868{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2AA6-5FCE-0000-0010C8E72700}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017773Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:14.868{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017772Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:14.868{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017771Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:14.868{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017770Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:14.868{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017769Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:14.868{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2AA6-5FCE-0000-0010C8E72700}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017768Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:14.868{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2AA6-5FCE-0000-0010C8E72700}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017767Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:14.870{7E7FFDA1-2AA6-5FCE-0000-0010C8E72700}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017766Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:14.399{7E7FFDA1-2AA6-5FCE-0000-00100FE62700}7324996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017765Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:14.259{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2AA6-5FCE-0000-00100FE62700}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017764Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:14.259{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017763Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:14.259{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017762Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:14.259{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017761Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:14.259{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017760Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:14.259{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-2AA6-5FCE-0000-00100FE62700}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017759Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:14.259{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2AA6-5FCE-0000-00100FE62700}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017758Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:14.260{7E7FFDA1-2AA6-5FCE-0000-00100FE62700}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017784Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:15.681{7E7FFDA1-2AA7-5FCE-0000-00105DE92700}55926712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017783Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:15.540{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2AA7-5FCE-0000-00105DE92700}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017782Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:15.540{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017781Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:15.540{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017780Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:15.540{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017779Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:15.540{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017778Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:15.540{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2AA7-5FCE-0000-00105DE92700}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017777Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:15.540{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2AA7-5FCE-0000-00105DE92700}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017776Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:15.541{7E7FFDA1-2AA7-5FCE-0000-00105DE92700}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017775Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:15.009{7E7FFDA1-2AA6-5FCE-0000-0010C8E72700}36282784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017792Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:16.993{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2AA8-5FCE-0000-0010AFEB2700}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017791Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:16.993{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017790Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:16.993{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017789Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:16.993{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017788Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:16.993{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017787Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:16.993{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2AA8-5FCE-0000-0010AFEB2700}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017786Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:16.993{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2AA8-5FCE-0000-0010AFEB2700}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017785Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:14:16.994{7E7FFDA1-2AA8-5FCE-0000-0010AFEB2700}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017800Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:11.649{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2ADF-5FCE-0000-001087F72700}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017799Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:11.649{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017798Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:11.649{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017797Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:11.649{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017796Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:11.649{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017795Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:11.649{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-2ADF-5FCE-0000-001087F72700}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017794Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:11.649{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2ADF-5FCE-0000-001087F72700}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017793Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:11.650{7E7FFDA1-2ADF-5FCE-0000-001087F72700}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017809Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:12.509{7E7FFDA1-2AE0-5FCE-0000-00103DF92700}46844124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017808Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:12.368{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2AE0-5FCE-0000-00103DF92700}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017807Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:12.368{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017806Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:12.368{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017805Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:12.368{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017804Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:12.368{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017803Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:12.368{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-2AE0-5FCE-0000-00103DF92700}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017802Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:12.368{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2AE0-5FCE-0000-00103DF92700}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017801Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:12.369{7E7FFDA1-2AE0-5FCE-0000-00103DF92700}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017818Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:13.743{7E7FFDA1-2AE1-5FCE-0000-001005FB2700}55362200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017817Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:13.602{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2AE1-5FCE-0000-001005FB2700}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017816Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:13.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017815Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:13.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017814Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:13.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017813Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:13.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017812Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:13.602{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-2AE1-5FCE-0000-001005FB2700}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017811Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:13.602{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2AE1-5FCE-0000-001005FB2700}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017810Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:13.603{7E7FFDA1-2AE1-5FCE-0000-001005FB2700}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017835Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:14.962{7E7FFDA1-2AE2-5FCE-0000-001065FE2700}53567116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017834Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:14.821{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-2AE2-5FCE-0000-001065FE2700}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017833Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:14.821{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017832Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:14.821{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017831Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:14.821{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017830Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:14.821{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5882488C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017829Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:14.821{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-2AE2-5FCE-0000-001065FE2700}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017828Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:15:14.821{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-2AE2-5FCE-0000-001065FE2700}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004968Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:18.716{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-6416-5FCE-0000-0010B8E30700}3848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004967Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:18.716{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004966Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:18.716{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004965Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:18.716{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004964Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:18.716{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004963Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:18.716{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004962Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:18.716{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004961Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:18.716{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004960Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:18.716{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004959Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:18.716{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004958Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:18.716{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6416-5FCE-0000-0010B8E30700}3848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004957Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:18.716{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-6416-5FCE-0000-0010B8E30700}3848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004956Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:18.717{B364217D-6416-5FCE-0000-0010B8E30700}3848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004982Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:19.529{B364217D-6417-5FCE-0000-0010CEE50700}45682832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004981Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:19.388{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-6417-5FCE-0000-0010CEE50700}4568C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004980Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:19.388{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004979Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:19.388{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004978Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:19.388{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004977Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:19.388{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004976Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:19.388{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004975Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:19.388{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004974Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:19.388{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004973Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:19.388{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004972Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:19.388{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004971Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:19.388{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6417-5FCE-0000-0010CEE50700}4568C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004970Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:19.388{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-6417-5FCE-0000-0010CEE50700}4568C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004969Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:19.389{B364217D-6417-5FCE-0000-0010CEE50700}4568C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004995Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:20.060{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-6418-5FCE-0000-001089E70700}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004994Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:20.060{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004993Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:20.060{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004992Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:20.060{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004991Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:20.060{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004990Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:20.060{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004989Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:20.060{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004988Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:20.060{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004987Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:20.060{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004986Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:20.060{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004985Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:20.060{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6418-5FCE-0000-001089E70700}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004984Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:20.060{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-6418-5FCE-0000-001089E70700}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004983Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:20.061{B364217D-6418-5FCE-0000-001089E70700}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005009Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:21.482{B364217D-6419-5FCE-0000-001098E90700}46084596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005008Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:21.341{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-6419-5FCE-0000-001098E90700}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005007Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:21.341{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005006Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:21.341{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005005Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:21.341{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005004Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:21.341{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005003Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:21.341{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005002Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:21.341{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005001Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:21.341{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005000Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:21.341{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004999Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:21.341{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004998Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:21.341{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6419-5FCE-0000-001098E90700}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004997Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:21.341{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-6419-5FCE-0000-001098E90700}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004996Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:21.342{B364217D-6419-5FCE-0000-001098E90700}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005037Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:22.779{B364217D-641A-5FCE-0000-00100DED0700}43884248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005036Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:22.638{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-641A-5FCE-0000-00100DED0700}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005035Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:22.638{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005034Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:22.638{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005033Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:22.638{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005032Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:22.638{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005031Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:22.638{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005030Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:22.638{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005029Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:22.638{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005028Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:22.638{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005027Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:22.638{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005026Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:22.638{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-641A-5FCE-0000-00100DED0700}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005025Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:22.638{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-641A-5FCE-0000-00100DED0700}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005024Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:22.640{B364217D-641A-5FCE-0000-00100DED0700}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005023Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:22.232{B364217D-641A-5FCE-0000-001034EB0700}35204760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005022Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:22.091{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-641A-5FCE-0000-001034EB0700}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005021Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:22.091{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005020Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:22.091{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005019Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:22.091{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005018Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:22.091{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005017Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:22.091{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005016Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:22.091{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005015Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:22.091{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005014Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:22.091{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005013Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:22.091{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005012Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:22.091{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-641A-5FCE-0000-001034EB0700}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005011Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:22.091{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-641A-5FCE-0000-001034EB0700}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005010Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:22.092{B364217D-641A-5FCE-0000-001034EB0700}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005051Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:23.966{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-641B-5FCE-0000-00105BEF0700}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005050Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:23.966{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005049Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:23.966{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005048Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:23.966{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005047Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:23.966{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005046Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:23.966{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005045Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:23.966{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005044Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:23.966{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005043Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:23.966{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005042Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:23.966{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005041Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:23.966{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-641B-5FCE-0000-00105BEF0700}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005040Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:23.966{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-641B-5FCE-0000-00105BEF0700}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005039Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:23.967{B364217D-641B-5FCE-0000-00105BEF0700}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005038Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:19:23.966{B364217D-61FE-5FCE-0000-0010F9A90000}9921576C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-001037C40000}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000005052Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:19:41.044{B364217D-61FE-5FCE-0000-001037C40000}1204C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6ccbd-0x25e1baa8) 10341000x80000000000000005065Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:18.715{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-6452-5FCE-0000-00103FFB0700}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005064Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:18.715{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005063Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:18.715{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005062Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:18.715{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005061Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:18.715{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005060Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:18.715{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005059Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:18.715{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005058Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:18.715{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005057Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:18.715{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005056Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:18.715{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005055Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:18.715{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6452-5FCE-0000-00103FFB0700}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005054Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:18.715{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-6452-5FCE-0000-00103FFB0700}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005053Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:18.716{B364217D-6452-5FCE-0000-00103FFB0700}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005079Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:19.527{B364217D-6453-5FCE-0000-001057FD0700}39563952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005078Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:19.387{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-6453-5FCE-0000-001057FD0700}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005077Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:19.387{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005076Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:19.387{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005075Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:19.387{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005074Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:19.387{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005073Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:19.387{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005072Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:19.387{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005071Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:19.387{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005070Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:19.387{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005069Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:19.387{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005068Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:19.387{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6453-5FCE-0000-001057FD0700}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005067Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:19.387{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-6453-5FCE-0000-001057FD0700}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005066Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:19.387{B364217D-6453-5FCE-0000-001057FD0700}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005093Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:20.933{B364217D-61FC-5FCE-0000-001019540000}8564172C:\Windows\system32\lsass.exe{B364217D-61FB-5FCE-0000-0010EB030000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000005092Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:20.058{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-6454-5FCE-0000-00101DFF0700}4492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005091Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:20.058{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005090Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:20.058{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005089Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:20.058{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005088Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:20.058{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005087Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:20.058{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005086Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:20.058{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005085Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:20.058{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005084Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:20.058{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005083Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:20.058{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005082Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:20.058{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6454-5FCE-0000-00101DFF0700}4492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005081Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:20.058{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-6454-5FCE-0000-00101DFF0700}4492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005080Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:20.059{B364217D-6454-5FCE-0000-00101DFF0700}4492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005107Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:21.480{B364217D-6455-5FCE-0000-0010A8010800}41841436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005106Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:21.340{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-6455-5FCE-0000-0010A8010800}4184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005105Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:21.340{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005104Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:21.340{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005103Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:21.340{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005102Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:21.340{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005101Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:21.340{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005100Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:21.340{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005099Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:21.340{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005098Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:21.340{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005097Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:21.340{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005096Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:21.340{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6455-5FCE-0000-0010A8010800}4184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005095Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:21.340{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-6455-5FCE-0000-0010A8010800}4184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005094Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:21.340{B364217D-6455-5FCE-0000-0010A8010800}4184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005137Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:22.902{B364217D-6456-5FCE-0000-0010FF050800}34883204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005136Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:22.761{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-6456-5FCE-0000-0010FF050800}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005135Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:22.761{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005134Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:22.761{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005133Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:22.761{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005132Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:22.761{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005131Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:22.761{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005130Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:22.761{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005129Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:22.761{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005128Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:22.761{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005127Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:22.761{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005126Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:22.761{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6456-5FCE-0000-0010FF050800}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005125Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:22.761{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-6456-5FCE-0000-0010FF050800}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005124Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:22.762{B364217D-6456-5FCE-0000-0010FF050800}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005123Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:22.543{B364217D-61FE-5FCE-0000-00102EBA0000}11363672C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001046BC0200}2932C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005122Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:22.543{B364217D-61FE-5FCE-0000-00102EBA0000}11363672C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001046BC0200}2932C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005121Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:22.230{B364217D-6456-5FCE-0000-001066030800}4480928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005120Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:22.090{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-6456-5FCE-0000-001066030800}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005119Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:22.090{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005118Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:22.090{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005117Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:22.090{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005116Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:22.090{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005115Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:22.090{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005114Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:22.090{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005113Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:22.090{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005112Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:22.090{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005111Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:22.090{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005110Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:22.090{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6456-5FCE-0000-001066030800}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005109Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:22.090{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-6456-5FCE-0000-001066030800}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005108Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:22.090{B364217D-6456-5FCE-0000-001066030800}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005264Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.965{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-6457-5FCE-0000-0010B52D0800}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005263Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.965{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005262Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.965{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005261Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.965{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005260Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.965{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005259Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.965{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005258Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.965{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005257Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.965{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005256Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.965{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005255Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.965{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005254Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.965{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6457-5FCE-0000-0010B52D0800}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005253Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.965{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-6457-5FCE-0000-0010B52D0800}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005252Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.965{B364217D-6457-5FCE-0000-0010B52D0800}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005251Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.715{B364217D-6457-5FCE-0000-001074130800}49605068C:\Windows\system32\conhost.exe{B364217D-6457-5FCE-0000-0010071E0800}1840C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005250Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.715{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6457-5FCE-0000-0010071E0800}1840C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005249Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.715{B364217D-6457-5FCE-0000-001050120800}29124660C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe{B364217D-6457-5FCE-0000-0010071E0800}1840C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.DLL+32979|UNKNOWN(00007FF7F4F25147) 10341000x80000000000000005248Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.699{B364217D-61FC-5FCE-0000-001019540000}8561104C:\Windows\system32\lsass.exe{B364217D-6457-5FCE-0000-0010AD1A0800}2860C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005247Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.699{B364217D-61FC-5FCE-0000-001019540000}8561104C:\Windows\system32\lsass.exe{B364217D-6457-5FCE-0000-0010AD1A0800}2860C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005246Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.683{B364217D-6457-5FCE-0000-001074130800}49605068C:\Windows\system32\conhost.exe{B364217D-6457-5FCE-0000-0010AD1A0800}2860C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005245Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.683{B364217D-6457-5FCE-0000-0010B41A0800}28324568C:\Windows\system32\conhost.exe{B364217D-6457-5FCE-0000-00109F130800}5076C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005244Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.683{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6457-5FCE-0000-0010AD1A0800}2860C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005243Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.683{B364217D-6457-5FCE-0000-001050120800}29124660C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe{B364217D-6457-5FCE-0000-0010AD1A0800}2860C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.DLL+32979|UNKNOWN(00007FF7F4F25147) 10341000x80000000000000005242Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.668{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6457-5FCE-0000-0010B41A0800}2832C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 13241300x80000000000000005241Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:23.636{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000000) 13241300x80000000000000005240Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:23.636{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00094cbc) 13241300x80000000000000005239Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:23.636{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6ccb2-0x2edcd8d6) 13241300x80000000000000005238Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:23.636{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6ccba-0x90a140d6) 13241300x80000000000000005237Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:23.636{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6ccc2-0xf265a8d6) 10341000x80000000000000005236Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.605{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00101ABA0000}1144C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000005235Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.605{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005234Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.605{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005233Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.605{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005232Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.605{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005231Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.605{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005230Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.605{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005229Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.605{B364217D-6457-5FCE-0000-001074130800}49605068C:\Windows\system32\conhost.exe{B364217D-6457-5FCE-0000-001050120800}2912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005228Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.605{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005227Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.605{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005226Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.605{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005225Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.605{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005224Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.605{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005223Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.605{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005222Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.605{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005221Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.605{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005220Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.605{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005219Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.605{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6457-5FCE-0000-00109F130800}5076C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005218Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.605{B364217D-6457-5FCE-0000-001038080800}4700728C:\Windows\system32\taskhostw.exe{B364217D-6457-5FCE-0000-00109F130800}5076C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b56bc|UNKNOWN(00007FF7F4F311E2) 154100x80000000000000005217Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.612{B364217D-6457-5FCE-0000-00109F130800}5076C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe4.7.2053.0 built by: NET47REL1Microsoft .NET Framework optimization serviceMicrosoft® .NET FrameworkMicrosoft CorporationNGenTask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe" /RuntimeWide /StopEvent:400C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=D4FCDD915CAA2B207531B145FD538E1A,SHA256=4279C50E5BF0F5F89358CA5BF1876827BF4D055DCE6BDBDEA56D4AD9F5047CCE,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{B364217D-6457-5FCE-0000-001038080800}4700C:\Windows\System32\taskhostw.exetaskhostw.exe /RuntimeWide 10341000x80000000000000005216Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.605{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6457-5FCE-0000-001074130800}4960C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005215Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.605{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005214Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.605{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005213Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.605{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005212Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.605{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005211Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.605{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005210Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.605{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005209Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.605{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005208Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.605{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005207Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.605{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005206Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.605{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6457-5FCE-0000-001050120800}2912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005205Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.605{B364217D-6457-5FCE-0000-001038080800}4700732C:\Windows\system32\taskhostw.exe{B364217D-6457-5FCE-0000-001050120800}2912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b56bc|UNKNOWN(00007FF7F4F311E2) 154100x80000000000000005204Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.606{B364217D-6457-5FCE-0000-001050120800}2912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe4.7.2053.0 built by: NET47REL1Microsoft .NET Framework optimization serviceMicrosoft® .NET FrameworkMicrosoft CorporationNGenTask.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe" /RuntimeWide /StopEvent:308C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=310EC059A68DEB69CFC32CFA946FEFE0,SHA256=7BC95DCD791A505FDD9FD0E117EB0BD5AC4F28176E8127FFB39521DAEF670970,IMPHASH=00000000000000000000000000000000{B364217D-6457-5FCE-0000-001038080800}4700C:\Windows\System32\taskhostw.exetaskhostw.exe /RuntimeWide 10341000x80000000000000005203Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.590{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005202Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.590{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005201Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.590{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005200Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.590{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005199Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.590{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005198Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.590{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005197Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.590{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005196Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.590{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005195Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.590{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005194Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.590{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6457-5FCE-0000-0010810F0800}3196C:\Windows\system32\speech_onecore\common\SpeechModelDownload.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005193Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.590{B364217D-61FE-5FCE-0000-00102EBA0000}11361236C:\Windows\system32\svchost.exe{B364217D-6457-5FCE-0000-0010810F0800}3196C:\Windows\system32\speech_onecore\common\SpeechModelDownload.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\UBPM.dll+ac60|c:\windows\system32\UBPM.dll+f974|c:\windows\system32\UBPM.dll+cd3c|c:\windows\system32\UBPM.dll+d305|c:\windows\system32\UBPM.dll+dc05|c:\windows\system32\UBPM.dll+e91d|c:\windows\system32\UBPM.dll+e12a|c:\windows\system32\UBPM.dll+dd82|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005192Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.574{B364217D-6457-5FCE-0000-00106E0E0800}43401296C:\Windows\system32\conhost.exe{B364217D-6457-5FCE-0000-0010BF0D0800}4776C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005191Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.574{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6457-5FCE-0000-00106E0E0800}4340C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005190Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.574{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005189Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.574{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005188Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.574{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005187Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.574{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005186Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.574{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005185Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.574{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005184Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.574{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005183Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.574{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005182Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.574{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005181Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.574{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6457-5FCE-0000-0010BF0D0800}4776C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005180Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.574{B364217D-61FE-5FCE-0000-00102EBA0000}11361852C:\Windows\system32\svchost.exe{B364217D-6457-5FCE-0000-0010BF0D0800}4776C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a711|c:\windows\system32\UBPM.dll+f974|c:\windows\system32\UBPM.dll+cd3c|c:\windows\system32\UBPM.dll+d305|c:\windows\system32\UBPM.dll+dc05|c:\windows\system32\UBPM.dll+e91d|c:\windows\system32\UBPM.dll+e12a|c:\windows\system32\UBPM.dll+dd82|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005179Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.574{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005178Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.574{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005177Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.558{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6457-5FCE-0000-00100F090800}1300C:\Windows\system32\usoclient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005176Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.558{B364217D-6457-5FCE-0000-0010D6090800}19124328C:\Windows\system32\conhost.exe{B364217D-6457-5FCE-0000-00100F090800}1300C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005175Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.543{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005174Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.543{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005173Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.543{B364217D-61FC-5FCE-0000-001019540000}8564172C:\Windows\system32\lsass.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005172Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.543{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005171Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.543{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005170Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.543{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005169Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.543{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005168Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.543{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6457-5FCE-0000-0010D6090800}1912C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005167Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.543{B364217D-61FC-5FCE-0000-001019540000}8564172C:\Windows\system32\lsass.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005166Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.543{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005165Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.543{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005164Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.543{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005163Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.543{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005162Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.543{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005161Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.543{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005160Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.543{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005159Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.543{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005158Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.543{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005157Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.543{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005156Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.543{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005155Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.543{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6457-5FCE-0000-00100F090800}1300C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005154Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.543{B364217D-61FE-5FCE-0000-00102EBA0000}11361236C:\Windows\system32\svchost.exe{B364217D-6457-5FCE-0000-00100F090800}1300C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a711|c:\windows\system32\UBPM.dll+f974|c:\windows\system32\UBPM.dll+cd3c|c:\windows\system32\UBPM.dll+d305|c:\windows\system32\UBPM.dll+dc05|c:\windows\system32\UBPM.dll+e91d|c:\windows\system32\UBPM.dll+e12a|c:\windows\system32\UBPM.dll+dd82|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005153Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.543{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005152Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.543{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005151Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.543{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005150Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.543{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005149Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.543{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005148Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.543{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005147Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.543{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005146Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.543{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005145Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.543{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005144Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.543{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005143Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.543{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005142Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.543{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005141Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.543{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005140Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.543{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005139Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:23.543{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x80000000000000005138Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:21.002{B364217D-61FE-5FCE-0000-001035C40000}1196WIN-DC-6920fe80::31f6:3ddb:dc7:b397;::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 10341000x80000000000000005269Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:24.949{B364217D-61FC-5FCE-0000-001019540000}8564172C:\Windows\system32\lsass.exe{B364217D-6458-5FCE-0000-001047350800}3796C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005268Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:24.949{B364217D-61FC-5FCE-0000-001019540000}8564172C:\Windows\system32\lsass.exe{B364217D-6458-5FCE-0000-001047350800}3796C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005267Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:24.902{B364217D-6457-5FCE-0000-0010B41A0800}28324568C:\Windows\system32\conhost.exe{B364217D-6458-5FCE-0000-001047350800}3796C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005266Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:24.902{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6458-5FCE-0000-001047350800}3796C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005265Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:24.902{B364217D-6457-5FCE-0000-00109F130800}50763492C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe{B364217D-6458-5FCE-0000-001047350800}3796C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.DLL+37d14(wow64)|UNKNOWN(0000000001E0404B)|UNKNOWN(0000000001E03CFC)|UNKNOWN(0000000001E01D03)|UNKNOWN(0000000001E00B66)|UNKNOWN(0000000001E0054F)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+ebf6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+11e50(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+17a14(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+11801a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+18f677(wow64) 10341000x80000000000000005272Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:24.996{B364217D-6457-5FCE-0000-0010B41A0800}28324568C:\Windows\system32\conhost.exe{B364217D-6459-5FCE-0000-001094380800}4384C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005271Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:24.996{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6459-5FCE-0000-001094380800}4384C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005270Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:24.996{B364217D-6457-5FCE-0000-00109F130800}50763492C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe{B364217D-6459-5FCE-0000-001094380800}4384C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.DLL+37d14(wow64)|UNKNOWN(0000000001E0404B)|UNKNOWN(0000000001E03CFC)|UNKNOWN(0000000001E04ADD)|UNKNOWN(0000000001E02444)|UNKNOWN(0000000001E00B66)|UNKNOWN(0000000001E0054F)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+ebf6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+11e50(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+17a14(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+11801a(wow64) 10341000x80000000000000005279Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:26.871{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645A-5FCE-0000-00103B550800}1168C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005278Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:26.855{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-645A-5FCE-0000-00103B550800}1168C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005277Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:26.855{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-645A-5FCE-0000-00103B550800}1168C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005276Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:26.558{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6457-5FCE-0000-0010071E0800}1840C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005275Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:26.543{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645A-5FCE-0000-0010D5510800}664C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005274Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:26.527{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-645A-5FCE-0000-0010D5510800}664C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005273Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:26.527{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-645A-5FCE-0000-0010D5510800}664C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005282Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:27.136{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645B-5FCE-0000-001068580800}5008C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005281Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:27.121{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-645B-5FCE-0000-001068580800}5008C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005280Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:27.121{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-645B-5FCE-0000-001068580800}5008C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x80000000000000005283Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localRDP2020-12-07 17:20:27.210{B364217D-61FE-5FCE-0000-00101ABA0000}1144C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse95.90.199.6559771false10.0.1.14win-dc-692.attackrange.local3389ms-wbt-server 10341000x80000000000000005450Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.996{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-001042940800}4876C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005449Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.996{B364217D-645F-5FCE-0000-001042940800}48763952C:\Windows\system32\LogonUI.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\logoncontroller.dll+2dfb5|C:\Windows\System32\RPCRT4.dll+50d64|C:\Windows\System32\RPCRT4.dll+24e40|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005448Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.980{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-001042940800}4876C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005447Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.980{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-001042940800}4876C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005446Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.902{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005445Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.902{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005444Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.902{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005443Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.902{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005442Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.902{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005441Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.902{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005440Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.886{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005439Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.886{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005438Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.886{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005437Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.886{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005436Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.886{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005435Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.886{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005434Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.886{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005433Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.886{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005432Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.886{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005431Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.855{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005430Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.855{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005429Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.855{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005428Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.855{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005427Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.855{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005426Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.855{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005425Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.839{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005424Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.839{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005423Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.839{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005422Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.824{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005421Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.824{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005420Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.824{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005419Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.824{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005418Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.824{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005417Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.824{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005416Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.808{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-001074A00800}2708C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005415Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.808{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-001074A00800}2708C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005414Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.808{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005413Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.808{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005412Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.808{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005411Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.808{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005410Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.808{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005409Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.808{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005408Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.808{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-001074A00800}2708C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005407Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.792{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005406Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.792{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005405Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.792{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005404Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.792{B364217D-61FC-5FCE-0000-001019540000}8561104C:\Windows\system32\lsass.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005403Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.792{B364217D-61FC-5FCE-0000-001019540000}8561104C:\Windows\system32\lsass.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005402Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.792{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005401Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.792{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005400Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.792{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005399Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.792{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005398Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.792{B364217D-61FE-5FCE-0000-00102EBA0000}11361528C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-001074A00800}2708C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005397Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.792{B364217D-61FE-5FCE-0000-00102EBA0000}11361624C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-001074A00800}2708C:\Windows\system32\dwm.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005396Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.792{B364217D-61FE-5FCE-0000-00102EBA0000}11363396C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+2685b|C:\Windows\system32\wbem\wbemcore.dll+22b78|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005395Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.784{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005394Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.784{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005393Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.784{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005392Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.784{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005391Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.784{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005390Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.784{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005389Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.784{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005388Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.784{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005387Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.784{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005386Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.784{B364217D-645F-5FCE-0000-0010EA600800}42163868C:\Windows\system32\csrss.exe{B364217D-645F-5FCE-0000-001074A00800}2708C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005385Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.761{B364217D-645F-5FCE-0000-0010CF620800}27562216C:\Windows\system32\winlogon.exe{B364217D-645F-5FCE-0000-001074A00800}2708C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\dwminit.dll+2d11|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005384Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.730{B364217D-61FC-5FCE-0000-001019540000}8561104C:\Windows\system32\lsass.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1c030|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005383Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.771{B364217D-645F-5FCE-0000-001074A00800}2708C:\Windows\System32\dwm.exe10.0.14393.0 (rs1_release.160715-1616)Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdwm.exe"dwm.exe"C:\Windows\system32\Window Manager\DWM-2{B364217D-645F-5FCE-0000-0020EB940800}0x894eb2SystemMD5=C89F159A577F19F7F03C73C98D29D841,SHA256=B3E37997C1C62DD90D69EF83D6A6FC782BF9A5B8AD04A0D1528A8B7FA31AA408,IMPHASH=DDB7DE3741333EE031929A760FCD4542{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\System32\winlogon.exewinlogon.exe 10341000x80000000000000005382Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.730{B364217D-61FC-5FCE-0000-001019540000}8561104C:\Windows\system32\lsass.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005381Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.730{B364217D-61FC-5FCE-0000-001019540000}8561104C:\Windows\system32\lsass.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005380Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.730{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005379Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.730{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005378Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.730{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005377Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.730{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005376Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.730{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005375Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.730{B364217D-61FC-5FCE-0000-001019540000}8564172C:\Windows\system32\lsass.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005374Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.714{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-001042940800}4876C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005373Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.714{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-001042940800}4876C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005372Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.714{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-001042940800}4876C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005371Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.714{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-001042940800}4876C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005370Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.699{B364217D-61FE-5FCE-0000-00102EBA0000}11361528C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-001042940800}4876C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005369Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.699{B364217D-61FE-5FCE-0000-00102EBA0000}11361624C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-001042940800}4876C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005368Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.699{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005367Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.699{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005366Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.699{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005365Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.699{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005364Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.699{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005363Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.699{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005362Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.699{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005361Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.699{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005360Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.699{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005359Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.699{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005358Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.699{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005357Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.699{B364217D-645F-5FCE-0000-0010EA600800}42163868C:\Windows\system32\csrss.exe{B364217D-645F-5FCE-0000-001042940800}4876C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005356Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.699{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005355Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.683{B364217D-61FC-5FCE-0000-001019540000}8561104C:\Windows\system32\lsass.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005354Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.683{B364217D-645F-5FCE-0000-0010CF620800}27563188C:\Windows\system32\winlogon.exe{B364217D-645F-5FCE-0000-001042940800}4876C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+193b7|C:\Windows\system32\winlogon.exe+22617|C:\Windows\system32\winlogon.exe+2b287|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005353Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.683{B364217D-61FC-5FCE-0000-001019540000}8561104C:\Windows\system32\lsass.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005352Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.683{B364217D-61FC-5FCE-0000-001019540000}8561104C:\Windows\system32\lsass.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005351Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.698{B364217D-645F-5FCE-0000-001042940800}4876C:\Windows\System32\LogonUI.exe10.0.14393.0 (rs1_release.160715-1616)Windows Logon User Interface HostMicrosoft® Windows® Operating SystemMicrosoft Corporationlogonui.exe"LogonUI.exe" /flags:0x2 /state0:0xa3a64055 /state1:0x41c64e6dC:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e72SystemMD5=B38DFCF985D8AE5B1A17C264981E61C7,SHA256=AA62D29803D52EC06CD27ED3124E034048F09606EB7342181913C9817C7B44C5,IMPHASH=A6F3A84D171E55B51A7343E05C8DFAC3{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\System32\winlogon.exewinlogon.exe 10341000x80000000000000005350Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.683{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005349Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.683{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005348Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.683{B364217D-61FE-5FCE-0000-00102EBA0000}11361528C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005347Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.683{B364217D-61FE-5FCE-0000-00102EBA0000}11361528C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+3c53|c:\windows\system32\themeservice.dll+2675|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005346Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.683{B364217D-61FE-5FCE-0000-00102EBA0000}11361624C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005345Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.683{B364217D-61FE-5FCE-0000-00102EBA0000}11361528C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005344Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.683{B364217D-61FE-5FCE-0000-00102EBA0000}11361624C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005343Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.558{B364217D-645F-5FCE-0000-0010EA600800}42163284C:\Windows\system32\csrss.exe{B364217D-61FE-5FCE-0000-00101ABA0000}1144C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\winsrv.DLL+1ef0|C:\Windows\system32\winsrv.DLL+17e9|C:\Windows\system32\winsrv.DLL+1579|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005342Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.558{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005341Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.558{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005340Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.527{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000005339Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:31.402{B364217D-61FB-5FCE-0000-0010EB030000}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000005338Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:31.402{B364217D-61FB-5FCE-0000-0010EB030000}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\CountDWORD (0x00000002) 13241300x80000000000000005337Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:31.402{B364217D-61FB-5FCE-0000-0010EB030000}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0 13241300x80000000000000005336Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:31.402{B364217D-61FB-5FCE-0000-0010EB030000}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000005335Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:31.402{B364217D-61FB-5FCE-0000-0010EB030000}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000002) 13241300x80000000000000005334Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:31.402{B364217D-61FB-5FCE-0000-0010EB030000}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0 13241300x80000000000000005333Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localInvDB-DriverVerSetValue2020-12-07 17:20:31.402{B364217D-61FB-5FCE-0000-0010EB030000}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e96f-e325-11ce-bfc1-08002be10318}\0001\DriverVersion10.0.14393.0 13241300x80000000000000005332Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:31.402{B364217D-61FB-5FCE-0000-0010EB030000}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000005331Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:31.402{B364217D-61FB-5FCE-0000-0010EB030000}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\CountDWORD (0x00000002) 13241300x80000000000000005330Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:31.402{B364217D-61FB-5FCE-0000-0010EB030000}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0 13241300x80000000000000005329Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:31.402{B364217D-61FB-5FCE-0000-0010EB030000}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000001) 13241300x80000000000000005328Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:31.402{B364217D-61FB-5FCE-0000-0010EB030000}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000001) 13241300x80000000000000005327Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:31.402{B364217D-61FB-5FCE-0000-0010EB030000}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\0TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0 13241300x80000000000000005326Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localInvDB-DriverVerSetValue2020-12-07 17:20:31.386{B364217D-61FB-5FCE-0000-0010EB030000}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318}\0001\DriverVersion10.0.14393.0 10341000x80000000000000005325Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.324{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2387f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005324Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.324{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+2380c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005323Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.324{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+237c4|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005322Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.324{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005321Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.324{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005320Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.324{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005319Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.324{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005318Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.324{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005317Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.324{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005316Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.324{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005315Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.324{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005314Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.324{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005313Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.324{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010EA600800}4216C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000005312Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.324{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000005311Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.324{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000005310Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.324{B364217D-645F-5FCE-0000-001028600800}50642464C:\Windows\System32\smss.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\SYSTEM32\ntdll.dll+8bf9e|C:\Windows\SYSTEM32\ntdll.dll+8bd49|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x80000000000000005309Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.331{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\System32\winlogon.exe10.0.14393.3204 (rs1_release.190830-1500)Windows Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWINLOGON.EXEwinlogon.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e72SystemMD5=DEA4CE12F24601830083126E18A2C7C9,SHA256=F002F8C2EA49D21F242996E3D57F5FDD7995FE6DB524BB69BBD7F190CC0211A9,IMPHASH=3CF10D94C117DB4F6E9D523B93429D6D{B364217D-645F-5FCE-0000-001028600800}5064C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000ec 0000007c 10341000x80000000000000005308Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.324{B364217D-61FB-5FCE-0000-0010D12A0000}448628C:\Windows\System32\smss.exe{B364217D-645F-5FCE-0000-0010EA600800}4216C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6624|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005307Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.324{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010EA600800}4216C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005306Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.308{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005305Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.308{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005304Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.308{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005303Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.308{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005302Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.308{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005301Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.308{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005300Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.308{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005299Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.308{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005298Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.308{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005297Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.308{B364217D-645F-5FCE-0000-001028600800}50642464C:\Windows\System32\smss.exe{B364217D-645F-5FCE-0000-0010EA600800}4216C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\SYSTEM32\ntdll.dll+8bf9e|C:\Windows\SYSTEM32\ntdll.dll+8bd49|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x80000000000000005296Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.318{B364217D-645F-5FCE-0000-0010EA600800}4216C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e72SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{B364217D-645F-5FCE-0000-001028600800}5064C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000ec 0000007c 10341000x80000000000000005295Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.308{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005294Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.308{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005293Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.308{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005292Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.308{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005291Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.308{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005290Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.308{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005289Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.308{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005288Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.308{B364217D-61FB-5FCE-0000-0010D12A0000}448628C:\Windows\System32\smss.exe{B364217D-645F-5FCE-0000-001028600800}5064C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6624|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005287Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.308{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005286Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.308{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005285Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.308{B364217D-61FB-5FCE-0000-0010D12A0000}448628C:\Windows\System32\smss.exe{B364217D-645F-5FCE-0000-001028600800}5064C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\SYSTEM32\ntdll.dll+8bf9e|C:\Windows\SYSTEM32\ntdll.dll+8bd49|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+3c31|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x80000000000000005284Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:31.312{B364217D-645F-5FCE-0000-001028600800}5064C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 000000ec 0000007c C:\Windows\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e72SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{B364217D-61FB-5FCE-0000-0010D12A0000}448C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 10341000x80000000000000005632Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.917{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-001028D10000}1332C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005631Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.917{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-001028D10000}1332C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005630Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.917{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-001028D10000}1332C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005629Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.855{B364217D-61FE-5FCE-0000-001028D10000}13321688C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005628Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.808{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-001028D10000}1332C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005627Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.808{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-001028D10000}1332C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005626Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.808{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-001028D10000}1332C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005625Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.792{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-001028D10000}1332C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005624Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.792{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-001028D10000}1332C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005623Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.792{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-001028D10000}1332C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005622Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.792{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-001028D10000}1332C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005621Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.792{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-001028D10000}1332C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005620Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.792{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-001028D10000}1332C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005619Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.792{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005618Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.777{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6460-5FCE-0000-0010B0670900}3520C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005617Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.777{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6460-5FCE-0000-0010B0670900}3520C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005616Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.777{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6460-5FCE-0000-0010B0670900}3520C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005615Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.683{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00101ABA0000}1144C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000005614Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.683{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000005613Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.667{B364217D-61FE-5FCE-0000-00102EBA0000}11364888C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+50d64|C:\Windows\System32\RPCRT4.dll+24e40|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005612Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.667{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2de4|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005611Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.667{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2dce|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005610Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.667{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+57a4|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005609Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.636{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00101ABA0000}1144C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000005608Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.621{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00101ABA0000}1144C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000005607Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.621{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00101ABA0000}1144C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000005606Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.621{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2f9b|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005605Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.621{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2f4d|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005604Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.621{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+5718|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005603Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.621{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+56c4|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005602Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.621{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-001042940800}4876C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005601Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.621{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-001042940800}4876C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005600Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.621{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-001042940800}4876C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005599Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.621{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-001042940800}4876C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000005598Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:32.621{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000005597Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:32.621{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00096fb5) 13241300x80000000000000005596Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:32.621{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6ccb4-0xe28391ce) 13241300x80000000000000005595Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:32.621{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6ccbd-0x4447f9ce) 13241300x80000000000000005594Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:32.621{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6ccc5-0xa60c61ce) 10341000x80000000000000005593Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.496{B364217D-61FC-5FCE-0000-001019540000}8561104C:\Windows\system32\lsass.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005592Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.496{B364217D-61FC-5FCE-0000-001019540000}8561104C:\Windows\system32\lsass.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005591Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.496{B364217D-61FC-5FCE-0000-001019540000}8561104C:\Windows\system32\lsass.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005590Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.496{B364217D-61FC-5FCE-0000-001019540000}8561104C:\Windows\system32\lsass.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005589Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.496{B364217D-61FC-5FCE-0000-001019540000}8561104C:\Windows\system32\lsass.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005588Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.496{B364217D-61FC-5FCE-0000-001019540000}8561104C:\Windows\system32\lsass.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005587Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.464{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005586Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.464{B364217D-61FC-5FCE-0000-001019540000}8561104C:\Windows\system32\lsass.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005585Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.464{B364217D-61FC-5FCE-0000-001019540000}8561104C:\Windows\system32\lsass.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005584Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.464{B364217D-61FC-5FCE-0000-001019540000}8561104C:\Windows\system32\lsass.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005583Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.464{B364217D-61FC-5FCE-0000-001019540000}8561104C:\Windows\system32\lsass.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005582Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.464{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005581Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.464{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005580Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.464{B364217D-61FC-5FCE-0000-001019540000}8561104C:\Windows\system32\lsass.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005579Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.464{B364217D-61FC-5FCE-0000-001019540000}8561104C:\Windows\system32\lsass.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005578Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.464{B364217D-61FE-5FCE-0000-001028D10000}13321688C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005577Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.433{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005576Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.433{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005575Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.433{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000005574Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2020-12-07 17:20:32.433{B364217D-61FB-5FCE-0000-0010EB030000}4SystemHKLM\System\CurrentControlSet\Enum\SWD\ScDeviceEnumBus\1\FriendlyNameMicrosoft Passport Container Enumeration Bus 13241300x80000000000000005573Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localInvDB-DriverVerSetValue2020-12-07 17:20:32.433{B364217D-61FB-5FCE-0000-0010EB030000}4SystemHKLM\System\CurrentControlSet\Control\Class\{62f9c741-b25a-46ce-b54c-9bccce08b6f2}\0003\DriverVersion10.0.14393.0 13241300x80000000000000005572Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2020-12-07 17:20:32.433{B364217D-61FB-5FCE-0000-0010EB030000}4SystemHKLM\System\CurrentControlSet\Enum\SWD\ScDeviceEnumBus\0\FriendlyNameSmart Card Device Enumeration Bus 13241300x80000000000000005571Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localInvDB-DriverVerSetValue2020-12-07 17:20:32.433{B364217D-61FB-5FCE-0000-0010EB030000}4SystemHKLM\System\CurrentControlSet\Control\Class\{62f9c741-b25a-46ce-b54c-9bccce08b6f2}\0002\DriverVersion10.0.14393.0 10341000x80000000000000005570Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.402{B364217D-61FE-5FCE-0000-00101ABA0000}11441488C:\Windows\System32\svchost.exe{B364217D-645F-5FCE-0000-001042940800}4876C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1ad7|c:\windows\system32\termsrv.dll+6b498|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005569Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.402{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-001042940800}4876C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005568Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.402{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-001042940800}4876C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005567Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.402{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-001042940800}4876C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005566Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.402{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-001042940800}4876C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005565Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.402{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-001042940800}4876C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005564Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.402{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-001042940800}4876C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005563Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.402{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-001042940800}4876C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005562Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.402{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-001042940800}4876C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005561Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.402{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-001042940800}4876C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005560Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.402{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-001042940800}4876C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005559Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.402{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-001042940800}4876C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005558Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.402{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-001042940800}4876C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005557Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.402{B364217D-61FC-5FCE-0000-001019540000}8561104C:\Windows\system32\lsass.exe{B364217D-645F-5FCE-0000-001042940800}4876C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005556Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.402{B364217D-61FC-5FCE-0000-001019540000}8561104C:\Windows\system32\lsass.exe{B364217D-645F-5FCE-0000-001042940800}4876C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005555Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.386{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-001042940800}4876C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005554Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.386{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-001042940800}4876C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005553Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.386{B364217D-61FC-5FCE-0000-001019540000}8561104C:\Windows\system32\lsass.exe{B364217D-645F-5FCE-0000-001042940800}4876C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005552Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.386{B364217D-61FC-5FCE-0000-001019540000}8561104C:\Windows\system32\lsass.exe{B364217D-645F-5FCE-0000-001042940800}4876C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005551Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.386{B364217D-61FC-5FCE-0000-001019540000}8561104C:\Windows\system32\lsass.exe{B364217D-61FE-5FCE-0000-00101ABA0000}1144C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005550Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.386{B364217D-61FC-5FCE-0000-001019540000}8561104C:\Windows\system32\lsass.exe{B364217D-61FE-5FCE-0000-00101ABA0000}1144C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005549Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.386{B364217D-61FE-5FCE-0000-00101ABA0000}11442532C:\Windows\System32\svchost.exe{B364217D-645F-5FCE-0000-001042940800}4876C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1ad7|c:\windows\system32\termsrv.dll+6b498|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005548Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.386{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-001042940800}4876C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005547Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.386{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-001042940800}4876C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005546Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.183{B364217D-61FE-5FCE-0000-001037C40000}12042004C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-001042940800}4876C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005545Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.183{B364217D-61FE-5FCE-0000-001037C40000}12042004C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-001042940800}4876C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005544Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.183{B364217D-61FE-5FCE-0000-001037C40000}12042004C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-001042940800}4876C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005543Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.183{B364217D-61FE-5FCE-0000-001037C40000}12042004C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-001042940800}4876C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005542Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.136{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005541Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.136{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005540Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.136{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005539Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.121{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005538Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.121{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005537Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.121{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005536Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.121{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005535Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.121{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005534Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.121{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005533Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.121{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005532Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.121{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005531Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.121{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005530Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.121{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005529Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.121{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005528Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.121{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005527Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.105{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005526Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.105{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005525Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.105{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005524Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.105{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005523Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.105{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000005522Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.089{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6457-5FCE-0000-00106E0E0800}4340C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005521Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.089{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005520Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.089{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005519Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.089{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005518Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.089{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005517Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.089{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005516Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.089{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005515Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.089{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005514Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.089{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005513Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.089{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005512Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.089{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6457-5FCE-0000-00106E0E0800}4340C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005511Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.089{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6457-5FCE-0000-00106E0E0800}4340C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005510Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.093{B364217D-6460-5FCE-0000-0010A62A0900}4340C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe10.0.14393.3926 (rs1_release.200817-1737)Windows Modules Installer WorkerMicrosoft® Windows® Operating SystemMicrosoft CorporationTiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=A8CBBA3111CF28435F7E8C8B94EC6FBD,SHA256=D4DDF9F7CB94FE55C7EA1CA90AB9638A883B84308C858EF466554E32FB17EFC3,IMPHASH=38FF53C1CCC1EE4C508C0F83A88C4E19{B364217D-61FE-5FCE-0000-0010E0650000}604C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000005509Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.074{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005508Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.074{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-0010980E0100}1864C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005507Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.074{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000005506Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.074{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00101ABA0000}1144C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000005505Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.074{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005504Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.074{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005503Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.074{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005502Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.074{B364217D-61FC-5FCE-0000-00103B530000}848916C:\Windows\system32\services.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005501Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.074{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005500Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.074{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005499Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.074{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005498Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.074{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005497Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.074{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005496Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.074{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005495Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.074{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005494Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.074{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005493Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.074{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005492Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.074{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005491Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.074{B364217D-61FC-5FCE-0000-00103B530000}8481128C:\Windows\system32\services.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d7ae|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005490Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.077{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe10.0.14393.3564 (rs1_release.200303-1942)Windows Modules InstallerMicrosoft® Windows® Operating SystemMicrosoft CorporationTrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=187076E4BC7B2F5FB7D54D1234B3CDEA,SHA256=7AE4CC64E2F0E5C58ABB6542233DA78B9AEAAD22C9D853AB96265EF3FBFEFABE,IMPHASH=648F735E453FC6802BFAECAC5ACA72A4{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000005489Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.074{B364217D-61FC-5FCE-0000-001019540000}8561104C:\Windows\system32\lsass.exe{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005488Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.074{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005487Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.074{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005486Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.074{B364217D-61FC-5FCE-0000-001019540000}8561104C:\Windows\system32\lsass.exe{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005485Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.058{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005484Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.058{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005483Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.058{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005482Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.058{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005481Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.058{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005480Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.058{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005479Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.058{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005478Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.058{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005477Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.058{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005476Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.042{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005475Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.042{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005474Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.042{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005473Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.027{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000005472Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.027{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00101ABA0000}1144C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000005471Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.027{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005470Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.027{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005469Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.027{B364217D-61FE-5FCE-0000-00101ABA0000}11442532C:\Windows\System32\svchost.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1ad7|c:\windows\system32\termsrv.dll+6b17d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005468Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.027{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-0010DAB80200}2544C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005467Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.027{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005466Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.027{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-001028D10000}1332C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005465Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.027{B364217D-61FE-5FCE-0000-00102EBA0000}11361528C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005464Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.027{B364217D-61FE-5FCE-0000-00102EBA0000}11361624C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005463Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.027{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-001028D10000}1332C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005462Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.027{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-001028D10000}1332C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005461Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.027{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005460Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.027{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-001042940800}4876C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005459Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.027{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005458Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.027{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005457Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.027{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005456Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.027{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005455Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.027{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005454Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.027{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+396a|c:\windows\system32\SYSNTFY.dll+1fc3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+52568|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005453Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.027{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+50d64|C:\Windows\System32\RPCRT4.dll+24e40|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005452Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.027{B364217D-61FC-5FCE-0000-001019540000}8561104C:\Windows\system32\lsass.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+50d64|C:\Windows\System32\RPCRT4.dll+24e40|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005451Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.027{B364217D-61FE-5FCE-0000-00102EBA0000}11361528C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+50d64|C:\Windows\System32\RPCRT4.dll+24e40|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005910Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.808{B364217D-61FE-5FCE-0000-00102EBA0000}11361232C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005909Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.808{B364217D-61FE-5FCE-0000-00102EBA0000}11361624C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005908Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.792{B364217D-645F-5FCE-0000-0010EA600800}42163292C:\Windows\system32\csrss.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005907Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.792{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005906Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.792{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005905Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.792{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005904Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.792{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005903Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.792{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005902Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.792{B364217D-61FE-5FCE-0000-00102EBA0000}11361232C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\UBPM.dll+ac60|c:\windows\system32\UBPM.dll+f974|c:\windows\system32\UBPM.dll+cd3c|c:\windows\system32\UBPM.dll+d305|c:\windows\system32\UBPM.dll+dc05|c:\windows\system32\UBPM.dll+e91d|c:\windows\system32\UBPM.dll+e12a|c:\windows\system32\UBPM.dll+dd82|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005901Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.792{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005900Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localT10532020-12-07 17:20:33.779{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exeC:\Windows\System32\Tasks\CreateExplorerShellUnelevatedTask2020-12-07 17:20:33.779 10341000x80000000000000005899Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.762{B364217D-61FC-5FCE-0000-001019540000}856896C:\Windows\system32\lsass.exe{B364217D-6461-5FCE-0000-00101EC00900}5464C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005898Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.762{B364217D-61FC-5FCE-0000-001019540000}856896C:\Windows\system32\lsass.exe{B364217D-6461-5FCE-0000-00101EC00900}5464C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005897Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.730{B364217D-61FE-5FCE-0000-00102EBA0000}11362232C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-00101EC00900}5464C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005896Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.730{B364217D-61FE-5FCE-0000-00102EBA0000}11361624C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-00101EC00900}5464C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005895Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.667{B364217D-645F-5FCE-0000-0010EA600800}42163324C:\Windows\system32\csrss.exe{B364217D-6461-5FCE-0000-00101EC00900}5464C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005894Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.667{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005893Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.667{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005892Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.667{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005891Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.667{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005890Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.667{B364217D-6461-5FCE-0000-001040BE0900}54405444C:\Windows\system32\userinit.exe{B364217D-6461-5FCE-0000-00101EC00900}5464C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\userinit.exe+1cd8|C:\Windows\system32\userinit.exe+23e5|C:\Windows\system32\userinit.exe+346e|C:\Windows\system32\userinit.exe+3725|C:\Windows\system32\userinit.exe+4553|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005889Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.564{B364217D-6461-5FCE-0000-00101EC00900}5464C:\Windows\explorer.exe10.0.14393.3866 (rs1_release.200805-1327)Windows ExplorerMicrosoft® Windows® Operating SystemMicrosoft CorporationEXPLORER.EXEC:\Windows\Explorer.EXEC:\Windows\system32\ATTACKRANGE\Administrator{B364217D-6460-5FCE-0000-0020BD420900}0x942bd2HighMD5=DF4B969F42D13259C3B264C99D1C0B2A,SHA256=C01D2AF406D43E1331DA921CC35AA52324C57FA6D7FA906732CA2B95515972C3,IMPHASH=8D2880102609AA4B23679BD4FEBEBC95{B364217D-6461-5FCE-0000-001040BE0900}5440C:\Windows\System32\userinit.exeC:\Windows\system32\userinit.exe 10341000x80000000000000005888Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.589{B364217D-61FC-5FCE-0000-001019540000}8564928C:\Windows\system32\lsass.exe{B364217D-61FB-5FCE-0000-0010EB030000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31375|C:\Windows\system32\lsasrv.dll+2f20b|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x80000000000000005887Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localT1060,RunKeySetValue2020-12-07 17:20:33.542{B364217D-6461-5FCE-0000-001040BE0900}5440C:\Windows\system32\userinit.exeHKU\S-1-5-21-2034510999-1345200767-2897500970-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce\ctfmon.exectfmon.exe /n 10341000x80000000000000005886Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.542{B364217D-61FE-5FCE-0000-00102EBA0000}11362232C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001040BE0900}5440C:\Windows\system32\userinit.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005885Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.542{B364217D-61FE-5FCE-0000-00102EBA0000}11361624C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001040BE0900}5440C:\Windows\system32\userinit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005884Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.527{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005883Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.527{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005882Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.527{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005881Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.527{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005880Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.527{B364217D-645F-5FCE-0000-0010EA600800}42163292C:\Windows\system32\csrss.exe{B364217D-6461-5FCE-0000-001040BE0900}5440C:\Windows\system32\userinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005879Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.527{B364217D-645F-5FCE-0000-0010CF620800}27564140C:\Windows\system32\winlogon.exe{B364217D-6461-5FCE-0000-001040BE0900}5440C:\Windows\system32\userinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+15b13|C:\Windows\system32\winlogon.exe+ea76|C:\Windows\system32\winlogon.exe+b12f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005878Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.539{B364217D-6461-5FCE-0000-001040BE0900}5440C:\Windows\System32\userinit.exe10.0.14393.0 (rs1_release.160715-1616)Userinit Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationUSERINIT.EXEC:\Windows\system32\userinit.exeC:\Windows\system32\ATTACKRANGE\Administrator{B364217D-6460-5FCE-0000-0020BD420900}0x942bd2HighMD5=C1B1FFC800BE2F31EB2CF8CB40629C69,SHA256=CFC6A18FC8FE7447ECD491345A32F0F10208F114B70A0E9D1CD72F6070D5B36F,IMPHASH=BFA137B16F3492AFCA0551687B067C04{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\System32\winlogon.exewinlogon.exe 10341000x80000000000000005877Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.527{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000005876Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localT1031,T1050SetValue2020-12-07 17:20:33.480{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\EFS\StartDWORD (0x00000003) 10341000x80000000000000005875Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.386{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005874Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.371{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005873Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.355{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005872Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.355{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005871Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.355{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+3a1a|c:\windows\system32\SYSNTFY.dll+1e8d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+52568|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005870Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.355{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005869Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.355{B364217D-61FE-5FCE-0000-00102EBA0000}11362236C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\sessenv.dll+3de88|c:\windows\system32\sessenv.dll+f881|c:\windows\system32\sessenv.dll+677c|c:\windows\system32\SYSNTFY.dll+1e8d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+52568|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005868Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.339{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005867Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.339{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005866Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.339{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005865Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.339{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005864Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.230{B364217D-6461-5FCE-0000-0010A5980900}24645168C:\Windows\system32\conhost.exe{B364217D-6461-5FCE-0000-00100D970900}3264C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005863Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.230{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005862Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.230{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005861Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.230{B364217D-645F-5FCE-0000-0010EA600800}42163868C:\Windows\system32\csrss.exe{B364217D-6461-5FCE-0000-0010D1980900}5124C:\Windows\system32\ServerManagerLauncher.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005860Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.230{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005859Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.230{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005858Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.230{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6461-5FCE-0000-0010D1980900}5124C:\Windows\system32\ServerManagerLauncher.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005857Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.230{B364217D-61FE-5FCE-0000-00102EBA0000}11361528C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-0010D1980900}5124C:\Windows\system32\ServerManagerLauncher.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\UBPM.dll+ac60|c:\windows\system32\UBPM.dll+f974|c:\windows\system32\UBPM.dll+cd3c|c:\windows\system32\UBPM.dll+10806|c:\windows\system32\UBPM.dll+d3a9|c:\windows\system32\UBPM.dll+dc05|c:\windows\system32\UBPM.dll+e91d|c:\windows\system32\UBPM.dll+e12a|c:\windows\system32\UBPM.dll+dd82|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005856Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.230{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005855Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.230{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005854Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.230{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005853Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.230{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005852Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.230{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6461-5FCE-0000-0010A5980900}2464C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005851Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.214{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005850Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.214{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005849Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.214{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005848Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.214{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005847Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.214{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005846Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.214{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6461-5FCE-0000-00100D970900}3264C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005845Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.214{B364217D-61FE-5FCE-0000-00102EBA0000}11362168C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-00100D970900}3264C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a711|c:\windows\system32\UBPM.dll+f974|c:\windows\system32\UBPM.dll+cd3c|c:\windows\system32\UBPM.dll+d305|c:\windows\system32\UBPM.dll+dc05|c:\windows\system32\UBPM.dll+e91d|c:\windows\system32\UBPM.dll+e12a|c:\windows\system32\UBPM.dll+dd82|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005844Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.214{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005843Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.214{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005842Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.214{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005841Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.214{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-0010980E0100}1864C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005840Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.214{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005839Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.214{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005838Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.214{B364217D-61FC-5FCE-0000-00103B530000}848916C:\Windows\system32\services.exe{B364217D-6461-5FCE-0000-0010AF940900}4520C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005837Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.214{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-0010AF940900}4520C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005836Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.214{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-001074A00800}2708C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005835Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.214{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-001074A00800}2708C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005834Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.214{B364217D-645F-5FCE-0000-0010EA600800}42163324C:\Windows\system32\csrss.exe{B364217D-6461-5FCE-0000-0010AF940900}4520C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005833Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6461-5FCE-0000-0010AF940900}4520C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005832Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}8481128C:\Windows\system32\services.exe{B364217D-6461-5FCE-0000-0010AF940900}4520C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+1cf77|C:\Windows\system32\services.exe+2dc8|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 13241300x80000000000000005831Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_9924b\Description@%%SystemRoot%%\system32\WpnUserService.dll,-2 13241300x80000000000000005830Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_9924b\FailureActionsBinary Data 13241300x80000000000000005829Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_9924b\Security\SecurityBinary Data 13241300x80000000000000005828Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_9924b\DisplayNameWindows Push Notifications User Service_9924b 13241300x80000000000000005827Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localT1031,T1050SetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_9924b\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x80000000000000005826Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_9924b\ErrorControlDWORD (0x00000000) 13241300x80000000000000005825Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localT1031,T1050SetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_9924b\StartDWORD (0x00000003) 13241300x80000000000000005824Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_9924b\TypeDWORD (0x000000e0) 13241300x80000000000000005823Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_9924b\Description@%%SystemRoot%%\system32\UserDataAccessRes.dll,-14000 13241300x80000000000000005822Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_9924b\FailureActionsBinary Data 13241300x80000000000000005821Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_9924b\Security\SecurityBinary Data 13241300x80000000000000005820Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_9924b\DisplayNameUser Data Access_9924b 13241300x80000000000000005819Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localT1031,T1050SetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_9924b\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x80000000000000005818Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_9924b\ErrorControlDWORD (0x00000000) 13241300x80000000000000005817Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localT1031,T1050SetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_9924b\StartDWORD (0x00000003) 13241300x80000000000000005816Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_9924b\TypeDWORD (0x000000e0) 13241300x80000000000000005815Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_9924b\Description@%%SystemRoot%%\system32\UserDataAccessRes.dll,-10002 13241300x80000000000000005814Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_9924b\FailureActionsBinary Data 13241300x80000000000000005813Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_9924b\Security\SecurityBinary Data 13241300x80000000000000005812Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_9924b\DisplayNameUser Data Storage_9924b 13241300x80000000000000005811Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localT1031,T1050SetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_9924b\ImagePathC:\Windows\System32\svchost.exe -k UnistackSvcGroup 13241300x80000000000000005810Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_9924b\ErrorControlDWORD (0x00000000) 13241300x80000000000000005809Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localT1031,T1050SetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_9924b\StartDWORD (0x00000003) 13241300x80000000000000005808Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_9924b\TypeDWORD (0x000000e0) 13241300x80000000000000005807Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_9924b\Description@%%SystemRoot%%\system32\UserDataAccessRes.dll,-15000 13241300x80000000000000005806Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_9924b\FailureActionsBinary Data 13241300x80000000000000005805Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_9924b\Security\SecurityBinary Data 13241300x80000000000000005804Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_9924b\DisplayNameContact Data_9924b 13241300x80000000000000005803Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localT1031,T1050SetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_9924b\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x80000000000000005802Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_9924b\ErrorControlDWORD (0x00000000) 13241300x80000000000000005801Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localT1031,T1050SetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_9924b\StartDWORD (0x00000003) 13241300x80000000000000005800Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_9924b\TypeDWORD (0x000000e0) 13241300x80000000000000005799Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_9924b\Description@%%SystemRoot%%\system32\APHostRes.dll,-10001 13241300x80000000000000005798Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_9924b\FailureActionsBinary Data 13241300x80000000000000005797Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_9924b\Security\SecurityBinary Data 13241300x80000000000000005796Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_9924b\DisplayNameSync Host_9924b 13241300x80000000000000005795Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localT1031,T1050SetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_9924b\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x80000000000000005794Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_9924b\ErrorControlDWORD (0x00000000) 13241300x80000000000000005793Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localT1031,T1050SetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_9924b\StartDWORD (0x00000002) 13241300x80000000000000005792Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_9924b\TypeDWORD (0x000000e0) 13241300x80000000000000005791Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_9924b\Description@%%SystemRoot%%\system32\cdpusersvc.dll,-101 13241300x80000000000000005790Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_9924b\FailureActionsBinary Data 13241300x80000000000000005789Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_9924b\Security\SecurityBinary Data 10341000x80000000000000005788Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.199{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005787Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.199{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000005786Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_9924b\DisplayNameCDPUserSvc_9924b 13241300x80000000000000005785Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localT1031,T1050SetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_9924b\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x80000000000000005784Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_9924b\ErrorControlDWORD (0x00000001) 13241300x80000000000000005783Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localT1031,T1050SetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_9924b\StartDWORD (0x00000002) 13241300x80000000000000005782Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:33.199{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_9924b\TypeDWORD (0x000000e0) 10341000x80000000000000005781Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.199{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005780Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.199{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005779Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.199{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-0010B77F0900}4672C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005778Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.199{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005777Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.167{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-0010B77F0900}4672C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000005776Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.167{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00101ABA0000}1144C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000005775Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.152{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005774Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.152{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005773Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.152{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\TokenBroker.dll+1acfa|C:\Windows\System32\TokenBroker.dll+1d475|C:\Windows\System32\TokenBroker.dll+1d7f9|C:\Windows\System32\TokenBroker.dll+1e8f3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+5086c|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x80000000000000005772Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.152{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\TokenBroker.dll+21886|C:\Windows\System32\TokenBroker.dll+1ac23|C:\Windows\System32\TokenBroker.dll+1d475|C:\Windows\System32\TokenBroker.dll+1d7f9|C:\Windows\System32\TokenBroker.dll+1e8f3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+5086c|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000005771Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.121{B364217D-61FC-5FCE-0000-001019540000}8561104C:\Windows\system32\lsass.exe{B364217D-6461-5FCE-0000-0010A3760900}1256C:\Windows\system32\efsui.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005770Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.121{B364217D-61FC-5FCE-0000-001019540000}8561104C:\Windows\system32\lsass.exe{B364217D-6461-5FCE-0000-0010A3760900}1256C:\Windows\system32\efsui.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005769Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.121{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-0010B77F0900}4672C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005768Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.121{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-0010B77F0900}4672C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005767Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.121{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-0010B77F0900}4672C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005766Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.121{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-0010B77F0900}4672C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005765Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.121{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005764Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.121{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005763Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.121{B364217D-61FC-5FCE-0000-001019540000}8561104C:\Windows\system32\lsass.exe{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005762Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.105{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-0010B77F0900}4672C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005761Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.105{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-0010B77F0900}4672C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005760Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.105{B364217D-61FE-5FCE-0000-00102EBA0000}11361528C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-0010B77F0900}4672C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005759Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.105{B364217D-61FE-5FCE-0000-00102EBA0000}11361624C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-0010B77F0900}4672C:\Windows\System32\rdpclip.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005758Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.105{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-0010B77F0900}4672C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005757Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.105{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-0010B77F0900}4672C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005756Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.105{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005755Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.105{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005754Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.105{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005753Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.105{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005752Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.105{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005751Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.105{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005750Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.074{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-001074A00800}2708C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005749Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.074{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-001074A00800}2708C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005748Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.074{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005747Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.074{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-001074A00800}2708C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005746Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.074{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-001074A00800}2708C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005745Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.058{B364217D-645F-5FCE-0000-0010EA600800}42163292C:\Windows\system32\csrss.exe{B364217D-6461-5FCE-0000-0010B77F0900}4672C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005744Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.058{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005743Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.058{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6461-5FCE-0000-0010B77F0900}4672C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005742Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.058{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005741Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.058{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005740Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.058{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005739Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.058{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005738Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.058{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005737Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.058{B364217D-61FE-5FCE-0000-00101ABA0000}11442532C:\Windows\System32\svchost.exe{B364217D-6461-5FCE-0000-0010B77F0900}4672C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\termsrv.dll+37d29|c:\windows\system32\termsrv.dll+f4fc|c:\windows\system32\termsrv.dll+1aa1b|c:\windows\system32\termsrv.dll+19ad3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000005736Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.058{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005735Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.058{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005734Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.058{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005733Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.058{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005732Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.058{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005731Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.058{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005730Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.058{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005729Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.049{B364217D-6461-5FCE-0000-0010B77F0900}4672C:\Windows\System32\rdpclip.exe10.0.14393.3503 (rs1_release.200131-0410)RDP Clipboard MonitorMicrosoft® Windows® Operating SystemMicrosoft Corporationrdpclip.exerdpclipC:\Windows\system32\ATTACKRANGE\Administrator{B364217D-6460-5FCE-0000-0020BD420900}0x942bd2HighMD5=D887E718FB0F4C99B9F01C5BD59F8B90,SHA256=ACFA1128B4EDD953F6364FA6216337A59C0522A01349263A11259A827838A56F,IMPHASH=5A464814303942D42A66B561CF697F26{B364217D-61FE-5FCE-0000-00101ABA0000}1144C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k termsvcs 10341000x80000000000000005728Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.042{B364217D-61FC-5FCE-0000-001019540000}8561104C:\Windows\system32\lsass.exe{B364217D-6461-5FCE-0000-0010A3760900}1256C:\Windows\system32\efsui.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005727Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.042{B364217D-61FC-5FCE-0000-001019540000}8561104C:\Windows\system32\lsass.exe{B364217D-6461-5FCE-0000-0010A3760900}1256C:\Windows\system32\efsui.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005726Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.042{B364217D-61FE-5FCE-0000-00102EBA0000}11362232C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-0010A3760900}1256C:\Windows\system32\efsui.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005725Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.042{B364217D-61FE-5FCE-0000-00102EBA0000}11361624C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-0010A3760900}1256C:\Windows\system32\efsui.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005724Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.027{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00101ABA0000}1144C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000005723Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.027{B364217D-620D-5FCE-0000-0010DAB80200}25442688C:\Windows\System32\spoolsv.exe{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\spoolsv.exe+1aea3|C:\Windows\System32\spoolsv.exe+1ad09|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+5296b|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005722Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-0010A8770900}2096C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005721Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005720Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005719Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005718Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-00102EBA0000}11362232C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-0010A8770900}2096C:\Windows\system32\TSTheme.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005717Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-00102EBA0000}11361624C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-0010A8770900}2096C:\Windows\system32\TSTheme.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005716Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-0010DAB80200}2544C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005715Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-0010DAB80200}2544C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005714Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-0010DAB80200}2544C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005713Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005712Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005711Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005710Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005709Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005708Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005707Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005706Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005705Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005704Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005703Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005702Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005701Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005700Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005699Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005698Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005697Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005696Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005695Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005694Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005693Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005692Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005691Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005690Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005689Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005688Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-645F-5FCE-0000-0010EA600800}42163292C:\Windows\system32\csrss.exe{B364217D-6461-5FCE-0000-0010A8770900}2096C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005687Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005686Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005685Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005684Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005683Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6461-5FCE-0000-0010A8770900}2096C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005682Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-0010A8770900}2096C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005681Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.012{B364217D-6461-5FCE-0000-0010A8770900}2096C:\Windows\System32\TSTheme.exe10.0.14393.0 (rs1_release.160715-1616)TSTheme Server ModuleMicrosoft® Windows® Operating SystemMicrosoft CorporationTSThemeS.exeC:\Windows\system32\TSTheme.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{B364217D-6460-5FCE-0000-0020BD420900}0x942bd2HighMD5=A9A89CB1838373C365F2B8AF72B1F1C2,SHA256=5EDB8F164B5CACAEFC551E3D0EA0971E5DA1AB144AB66FE429BC7E5DCB2FCC3C,IMPHASH=851EBF0BAEED8A212E02B93229FDC674{B364217D-61FE-5FCE-0000-0010E0650000}604C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000005680Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005679Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005678Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-645F-5FCE-0000-0010EA600800}42163868C:\Windows\system32\csrss.exe{B364217D-6461-5FCE-0000-0010A3760900}1256C:\Windows\system32\efsui.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005677Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005676Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005675Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005674Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005673Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005672Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005671Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005670Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005669Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005668Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005667Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005666Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005665Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005664Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.011{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005663Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.996{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6461-5FCE-0000-0010A3760900}1256C:\Windows\system32\efsui.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005662Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.996{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005661Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.996{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005660Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.996{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005659Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.996{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005658Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.996{B364217D-61FC-5FCE-0000-001019540000}856888C:\Windows\system32\lsass.exe{B364217D-6461-5FCE-0000-0010A3760900}1256C:\Windows\system32\efsui.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\efsext.dll+2d2c|C:\Windows\system32\EFSCORE.dll+18451|C:\Windows\system32\EFSCORE.dll+17c2a|C:\Windows\system32\EFSCORE.dll+17805|C:\Windows\system32\EFSCORE.dll+18bd|C:\Windows\system32\efssvc.dll+1337|C:\Windows\System32\sechost.dll+b71a|C:\Windows\System32\sechost.dll+a574|C:\Windows\system32\lsasrv.dll+5212e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005657Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.996{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005656Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.996{B364217D-61FE-5FCE-0000-0010E0650000}604912C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005655Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.996{B364217D-61FE-5FCE-0000-0010E0650000}604912C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005654Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.996{B364217D-61FE-5FCE-0000-0010E0650000}604912C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005653Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.007{B364217D-6461-5FCE-0000-0010A3760900}1256C:\Windows\System32\efsui.exe10.0.14393.0 (rs1_release.160715-1616)EFS UI ApplicationMicrosoft® Windows® Operating SystemMicrosoft Corporationefsui.exeefsui.exe /efs /installdraC:\Windows\system32\ATTACKRANGE\Administrator{B364217D-6460-5FCE-0000-0020BD420900}0x942bd2HighMD5=6DFA1BBB4D2F89DC46BACABC83B6AB95,SHA256=1106CE6AE6EDFFA752D71F5EFF9FAAB53360CFFC6B224957760FBDC0A7D4FF17,IMPHASH=B865E978ADDB9A939A91896A60E81464{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\System32\lsass.exeC:\Windows\system32\lsass.exe 10341000x80000000000000005652Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.996{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005651Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.996{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005650Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.996{B364217D-61FE-5FCE-0000-0010E0650000}604912C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005649Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.996{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005648Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.996{B364217D-61FE-5FCE-0000-0010E0650000}604912C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005647Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.996{B364217D-61FE-5FCE-0000-0010E0650000}604912C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005646Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.996{B364217D-61FE-5FCE-0000-0010E0650000}604912C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005645Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.996{B364217D-61FE-5FCE-0000-0010E0650000}604912C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005644Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.996{B364217D-61FE-5FCE-0000-0010E0650000}604912C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005643Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.996{B364217D-61FE-5FCE-0000-0010E0650000}604912C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005642Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.996{B364217D-61FE-5FCE-0000-0010E0650000}604912C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005641Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.996{B364217D-61FE-5FCE-0000-0010E0650000}604912C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23e0b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005640Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.996{B364217D-61FE-5FCE-0000-0010E0650000}604912C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005639Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.996{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005638Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.996{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005637Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.996{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005636Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.996{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00101ABA0000}1144C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000005635Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.996{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00101ABA0000}1144C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000005634Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.996{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+37c3|c:\windows\system32\SYSNTFY.dll+1dcb|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+52568|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005633Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:32.996{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010CF620800}2756C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+50d64|C:\Windows\System32\RPCRT4.dll+24e40|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005975Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.605{B364217D-61FC-5FCE-0000-001019540000}856100C:\Windows\system32\lsass.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005974Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.605{B364217D-61FC-5FCE-0000-001019540000}856100C:\Windows\system32\lsass.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005973Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.605{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005972Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.605{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005971Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.511{B364217D-6462-5FCE-0000-00104B090A00}56925724C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-0010EAFF0900}5628C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114786|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005970Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.511{B364217D-6462-5FCE-0000-00104B090A00}56925728C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-0010EAFF0900}5628C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114786|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005969Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.417{B364217D-61FC-5FCE-0000-00103B530000}848916C:\Windows\system32\services.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005968Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.417{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005967Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.402{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005966Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.402{B364217D-61FC-5FCE-0000-00103B530000}8481128C:\Windows\system32\services.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005965Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.402{B364217D-61FC-5FCE-0000-001019540000}856100C:\Windows\system32\lsass.exe{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005964Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.402{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005963Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.402{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005962Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.402{B364217D-61FC-5FCE-0000-001019540000}856100C:\Windows\system32\lsass.exe{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005961Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.402{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005960Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.386{B364217D-61FC-5FCE-0000-001019540000}856100C:\Windows\system32\lsass.exe{B364217D-6462-5FCE-0000-0010EAFF0900}5628C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005959Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.386{B364217D-61FC-5FCE-0000-001019540000}856100C:\Windows\system32\lsass.exe{B364217D-6462-5FCE-0000-0010EAFF0900}5628C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005958Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.386{B364217D-6462-5FCE-0000-0010EAFF0900}56285660C:\Windows\System32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\appreadiness.dll+4dab3|c:\windows\system32\appreadiness.dll+c133|c:\windows\system32\appreadiness.dll+b234|c:\windows\system32\appreadiness.dll+c029|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000005957Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.386{B364217D-6462-5FCE-0000-0010EAFF0900}56285660C:\Windows\System32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\appreadiness.dll+4dab3|c:\windows\system32\appreadiness.dll+c133|c:\windows\system32\appreadiness.dll+b167|c:\windows\system32\appreadiness.dll+bfb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000005956Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.386{B364217D-6462-5FCE-0000-0010EAFF0900}56285660C:\Windows\System32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\appreadiness.dll+4dab3|c:\windows\system32\appreadiness.dll+c133|c:\windows\system32\appreadiness.dll+b234|c:\windows\system32\appreadiness.dll+b81e|c:\windows\system32\appreadiness.dll+b725|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c 10341000x80000000000000005955Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.386{B364217D-6462-5FCE-0000-0010EAFF0900}56285660C:\Windows\System32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\appreadiness.dll+4dab3|c:\windows\system32\appreadiness.dll+c133|c:\windows\system32\appreadiness.dll+b167|c:\windows\system32\appreadiness.dll+b780|c:\windows\system32\appreadiness.dll+b725|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c 10341000x80000000000000005954Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.386{B364217D-6462-5FCE-0000-0010EAFF0900}56285656C:\Windows\System32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\appreadiness.dll+4dab3|c:\windows\system32\appreadiness.dll+c133|c:\windows\system32\appreadiness.dll+b234|c:\windows\system32\appreadiness.dll+c029|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000005953Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.386{B364217D-6462-5FCE-0000-0010EAFF0900}56285656C:\Windows\System32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\appreadiness.dll+4dab3|c:\windows\system32\appreadiness.dll+c133|c:\windows\system32\appreadiness.dll+b167|c:\windows\system32\appreadiness.dll+bfb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000005952Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.386{B364217D-6462-5FCE-0000-0010EAFF0900}56285660C:\Windows\System32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\appreadiness.dll+4dab3|c:\windows\system32\appreadiness.dll+c133|c:\windows\system32\appreadiness.dll+b234|c:\windows\system32\appreadiness.dll+c029|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000005951Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.371{B364217D-6462-5FCE-0000-0010EAFF0900}56285660C:\Windows\System32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\appreadiness.dll+4dab3|c:\windows\system32\appreadiness.dll+c133|c:\windows\system32\appreadiness.dll+b167|c:\windows\system32\appreadiness.dll+bfb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000005950Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.371{B364217D-6462-5FCE-0000-0010EAFF0900}56285660C:\Windows\System32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\appreadiness.dll+4dab3|c:\windows\system32\appreadiness.dll+c133|c:\windows\system32\appreadiness.dll+b234|c:\windows\system32\appreadiness.dll+b81e|c:\windows\system32\appreadiness.dll+b725|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c 10341000x80000000000000005949Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.355{B364217D-6462-5FCE-0000-0010EAFF0900}56285660C:\Windows\System32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\appreadiness.dll+4dab3|c:\windows\system32\appreadiness.dll+c133|c:\windows\system32\appreadiness.dll+b167|c:\windows\system32\appreadiness.dll+b780|c:\windows\system32\appreadiness.dll+b725|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c 10341000x80000000000000005948Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.355{B364217D-6462-5FCE-0000-0010EAFF0900}56285660C:\Windows\System32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\appreadiness.dll+4dab3|c:\windows\system32\appreadiness.dll+c133|c:\windows\system32\appreadiness.dll+b234|c:\windows\system32\appreadiness.dll+c029|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000005947Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.355{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-0010EAFF0900}5628C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005946Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.355{B364217D-6462-5FCE-0000-0010EAFF0900}56285660C:\Windows\System32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\appreadiness.dll+4dab3|c:\windows\system32\appreadiness.dll+c133|c:\windows\system32\appreadiness.dll+b167|c:\windows\system32\appreadiness.dll+bfb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000005945Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.339{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-0010EAFF0900}5628C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005944Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.324{B364217D-61FC-5FCE-0000-00103B530000}848916C:\Windows\system32\services.exe{B364217D-6462-5FCE-0000-0010EAFF0900}5628C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005943Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.324{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005942Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.324{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005941Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.324{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005940Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.324{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005939Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.324{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6462-5FCE-0000-0010EAFF0900}5628C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005938Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.324{B364217D-61FC-5FCE-0000-00103B530000}8481128C:\Windows\system32\services.exe{B364217D-6462-5FCE-0000-0010EAFF0900}5628C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005937Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.324{B364217D-6462-5FCE-0000-0010EAFF0900}5628C:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\System32\svchost.exe -k AppReadinessC:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7,IMPHASH=2CED93915677390B76EE1916B92F3EF6{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000005936Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.308{B364217D-61FC-5FCE-0000-001019540000}856100C:\Windows\system32\lsass.exe{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005935Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.308{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005934Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.308{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005933Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.308{B364217D-61FC-5FCE-0000-001019540000}856100C:\Windows\system32\lsass.exe{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x80000000000000005932Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:33.209{B364217D-6461-5FCE-0000-0010A3760900}1256win-dc-692.attackrange.local0fe80::31f6:3ddb:dc7:b397;::ffff:10.0.1.14;C:\Windows\System32\efsui.exe 10341000x80000000000000005931Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.263{B364217D-61FC-5FCE-0000-001019540000}856100C:\Windows\system32\lsass.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000005930Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:34.263{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x0000054e) 10341000x80000000000000005929Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.263{B364217D-61FC-5FCE-0000-001019540000}856100C:\Windows\system32\lsass.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005928Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.105{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000005927Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:34.058{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Options\EnablePacketQueueDWORD (0x00000000) 13241300x80000000000000005926Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:34.043{B364217D-61FE-5FCE-0000-001028D10000}1332C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 10341000x80000000000000005925Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.043{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005924Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.043{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005923Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.043{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005922Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.043{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005921Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.043{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005920Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.043{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005919Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.043{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+58a7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005918Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.043{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005917Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.043{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005916Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.043{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000005915Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:33.996{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\NTDS\Parameters\ldapserverintegrityDWORD (0x00000001) 13241300x80000000000000005914Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:33.996{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Netlogon\Parameters\requiresignorsealDWORD (0x00000001) 13241300x80000000000000005913Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:33.996{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\requiresecuritysignatureDWORD (0x00000001) 13241300x80000000000000005912Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:33.996{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\enablesecuritysignatureDWORD (0x00000001) 13241300x80000000000000005911Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localT1101SetValue2020-12-07 17:20:33.996{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001) 10341000x80000000000000006182Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.964{B364217D-6462-5FCE-0000-00104B090A00}56925728C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-0010EAFF0900}5628C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114786|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006181Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.949{B364217D-6462-5FCE-0000-00104B090A00}56925724C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-0010EAFF0900}5628C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114786|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006180Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.917{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006179Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.917{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006178Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.917{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006177Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.917{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006176Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.917{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006175Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.917{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006174Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.917{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006173Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.917{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006172Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.917{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006171Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.917{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006170Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.917{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006169Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.917{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006168Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.917{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006167Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.917{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006166Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.917{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006165Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.917{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006164Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.917{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006163Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.917{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006162Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.917{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006161Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.917{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006160Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.917{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006159Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.902{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006158Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.902{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006157Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.902{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006156Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.902{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006155Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.902{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006154Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.902{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006153Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.902{B364217D-61FE-5FCE-0000-00102EBA0000}11361528C:\Windows\system32\svchost.exe{B364217D-6463-5FCE-0000-001014400A00}5984C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006152Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.902{B364217D-61FE-5FCE-0000-00102EBA0000}11361624C:\Windows\system32\svchost.exe{B364217D-6463-5FCE-0000-001014400A00}5984C:\Windows\system32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006151Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.886{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006150Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.886{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006149Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.886{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006148Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.886{B364217D-645F-5FCE-0000-0010EA600800}42163324C:\Windows\system32\csrss.exe{B364217D-6463-5FCE-0000-001014400A00}5984C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006147Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.886{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006146Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.886{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6463-5FCE-0000-001014400A00}5984C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006145Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.886{B364217D-6462-5FCE-0000-00104B090A00}56925800C:\Windows\system32\svchost.exe{B364217D-6463-5FCE-0000-001014400A00}5984C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\System32\AppXDeploymentExtensions.desktop.dll+21b54|C:\Windows\System32\AppXDeploymentExtensions.desktop.dll+2a21d|c:\windows\system32\appxdeploymentserver.dll+15697f|c:\windows\system32\appxdeploymentserver.dll+ae504|c:\windows\system32\appxdeploymentserver.dll+92924|c:\windows\system32\appxdeploymentserver.dll+19e0c|c:\windows\system32\appxdeploymentserver.dll+2bffd|c:\windows\system32\appxdeploymentserver.dll+2bdf9|C:\Windows\SYSTEM32\ntdll.dll+803e4|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006144Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.888{B364217D-6463-5FCE-0000-001014400A00}5984C:\Windows\System32\rundll32.exe10.0.14393.0 (rs1_release.160715-1616)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXErundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefreshC:\Windows\system32\ATTACKRANGE\Administrator{B364217D-6460-5FCE-0000-0020BD420900}0x942bd2HighMD5=C7645D43451C6D94D87F4D07BDE59C89,SHA256=495BBA47FC43EE23054FCD419F2F00457162D1C04296900C6AEA551102A810F3,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k wsappx 13241300x80000000000000006143Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:35.856{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773S-1-5-21-2034510999-1345200767-2897500970-500v2.26|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|C=S-1-15-3-1|C=S-1-15-3-3|C=S-1-15-3-787448254-1207972858-3558633622-1059886964|C=S-1-15-3-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|B=C:\Windows\system32\wwahost.exe|M=microsoft.windows.cloudexperiencehost_cw5n1h2txyewy|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|D=C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\|PFN=Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy| 13241300x80000000000000006142Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:35.839{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{CDC084F0-C1BA-49D9-97CB-D19E2E7006B1}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ| 13241300x80000000000000006141Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:35.839{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{87B2B80E-F3F5-4D3C-9461-27F638D5542A}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ| 10341000x80000000000000006140Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.839{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006139Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.839{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006138Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.839{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006137Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.839{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006136Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.839{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000006135Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:35.839{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{5A81EAFE-B2A7-4614-A974-63E96295391F}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}| 13241300x80000000000000006134Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:35.839{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{4495C85C-99BE-4B02-BDD6-19A8317CE5EA}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Security=Authenticate| 10341000x80000000000000006133Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.839{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000006132Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:35.839{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{67DA17E7-A88D-4F56-8671-16F8B52CC46C}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Security=Authenticate| 10341000x80000000000000006131Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.839{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000006130Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:35.839{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{69798443-8B9C-497B-BE9E-21EC810D7191}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}| 13241300x80000000000000006129Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:35.824{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{ACA92293-9CB4-45C2-B915-0BC412590E3E}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}| 13241300x80000000000000006128Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:35.824{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{E736E42F-C076-45A6-8D02-DAA78E49A1E4}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}| 13241300x80000000000000006127Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:35.824{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{7C366D26-AA1F-423A-A1A7-32AADCFD69F4}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}| 10341000x80000000000000006126Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.824{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006125Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.824{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006124Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.824{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006123Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.824{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006122Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.824{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006121Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.824{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006120Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.824{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006119Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.824{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006118Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.824{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006117Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.824{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006116Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.824{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006115Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.824{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006114Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.824{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006113Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.824{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006112Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.824{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006111Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.824{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006110Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.824{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006109Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.824{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006108Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.824{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006107Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.824{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000006106Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:35.808{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272S-1-5-21-2034510999-1345200767-2897500970-500v2.26|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|C=S-1-15-3-1|C=S-1-15-3-3|C=S-1-15-3-8|C=S-1-15-3-9|C=S-1-15-3-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|M=microsoft.aad.brokerplugin_cw5n1h2txyewy|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|D=C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\|PFN=Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy| 13241300x80000000000000006105Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:35.792{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{552CD5EC-AB04-4112-AB13-9C54023741CD}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ| 13241300x80000000000000006104Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:35.792{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{46E95188-FB38-44A4-AF06-B96362CB989B}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ| 13241300x80000000000000006103Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:35.792{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{3E469B14-C9F6-4512-A0B6-21C3FF6CAB67}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}| 13241300x80000000000000006102Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:35.792{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{5CF06B4B-B7F1-42DF-A804-5C75F4C41CF9}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Security=Authenticate| 13241300x80000000000000006101Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:35.792{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{EF4F60AD-5D62-471A-89EC-F2925B36E278}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Security=Authenticate| 13241300x80000000000000006100Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:35.792{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{D0BB6680-1542-4F77-BFD0-A6FECB90DC7D}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}| 13241300x80000000000000006099Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:35.792{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{EA416F0B-84C9-44CD-AD74-20FFC3160E02}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}| 13241300x80000000000000006098Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:35.792{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{7974E54E-3886-48E8-8D31-A72D22E2ED4E}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}| 13241300x80000000000000006097Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:35.792{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{08FB3AAE-9A16-42AE-ADA3-2035F6D6EBC0}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}| 10341000x80000000000000006096Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.792{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006095Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.792{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006094Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.792{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006093Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.792{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006092Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.792{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006091Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.792{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006090Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.777{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006089Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.777{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006088Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.777{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006087Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.777{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006086Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.777{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006085Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.777{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006084Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.777{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006083Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.777{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006082Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.777{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006081Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.777{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006080Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.777{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006079Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.777{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006078Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.745{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006077Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.745{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006076Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.745{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006075Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.745{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006074Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.745{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006073Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.730{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006072Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.730{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006071Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.714{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006070Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.714{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006069Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.714{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006068Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.714{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006067Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.714{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006066Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.714{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006065Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.714{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006064Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.714{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006063Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.714{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006062Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.714{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006061Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.714{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006060Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.714{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006059Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.714{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006058Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.714{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006057Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.714{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006056Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.714{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006055Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.714{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006054Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.714{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006053Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.714{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006052Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.714{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006051Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.699{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006050Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.699{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006049Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.699{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006048Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.699{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006047Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.699{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006046Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.699{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006045Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.699{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006044Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.683{B364217D-6462-5FCE-0000-00104B090A00}56925724C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-0010EAFF0900}5628C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114786|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006043Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.667{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006042Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.667{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006041Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.605{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6463-5FCE-0000-0010E7240A00}5912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006040Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.605{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6463-5FCE-0000-0010E7240A00}5912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006039Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.605{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6463-5FCE-0000-0010E7240A00}5912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006038Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.574{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006037Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.574{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006036Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.574{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006035Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.574{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006034Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.574{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006033Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.574{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006032Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.574{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006031Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.542{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006030Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.542{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006029Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.542{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006028Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.542{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006027Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.542{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006026Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.542{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006025Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.542{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006024Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.542{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006023Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.542{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006022Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.542{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006021Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.542{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006020Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.542{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006019Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.542{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006018Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.542{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006017Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.527{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006016Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.527{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006015Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.527{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006014Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.527{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006013Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.527{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006012Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.527{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000006011Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:35.511{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\PolicyVersionDWORD (0x0000021a) 13241300x80000000000000006010Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:35.511{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-19479607-1015771884-3827151630-3301822711-2267158487-4079414233-1230461222S-1-5-21-2034510999-1345200767-2897500970-500v2.26|AppPkgId=S-1-15-2-19479607-1015771884-3827151630-3301822711-2267158487-4079414233-1230461222|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|C=S-1-15-3-3845273463-1331427702-1186551195-1148109977|C=S-1-15-3-787448254-1207972858-3558633622-1059886964|C=S-1-15-3-19479607-1015771884-3827151630-3301822711-2267158487-4079414233-1230461222|M=microsoft.bioenrollment_cw5n1h2txyewy|Name=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}|Desc=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}|D=C:\Windows\SystemApps\Microsoft.BioEnrollment_cw5n1h2txyewy\|PFN=Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy| 13241300x80000000000000006009Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:35.495{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{511661AE-81B9-4D74-944E-5E758E30BF51}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}|Desc=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-19479607-1015771884-3827151630-3301822711-2267158487-4079414233-1230461222|EmbedCtxt=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}| 13241300x80000000000000006008Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:35.480{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{0E899008-FDD5-4D2C-B877-5B92A985A8AE}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}|Desc=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-19479607-1015771884-3827151630-3301822711-2267158487-4079414233-1230461222|EmbedCtxt=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}| 10341000x80000000000000006007Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.417{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006006Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.324{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6463-5FCE-0000-00105B190A00}5852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006005Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.324{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6463-5FCE-0000-00105B190A00}5852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006004Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.324{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6463-5FCE-0000-00105B190A00}5852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006003Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.308{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006002Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.308{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006001Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.308{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006000Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.308{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005999Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.308{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005998Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.308{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005997Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.277{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005996Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.277{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005995Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.277{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005994Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.277{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005993Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.277{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005992Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.277{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005991Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.277{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005990Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.277{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005989Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.277{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005988Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.277{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005987Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.277{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005986Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.277{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005985Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.183{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005984Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.183{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005983Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.183{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005982Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.183{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005981Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.183{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005980Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.183{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005979Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.183{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005978Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.167{B364217D-61FC-5FCE-0000-001019540000}856100C:\Windows\system32\lsass.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25dfa|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005977Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.167{B364217D-61FC-5FCE-0000-001019540000}856100C:\Windows\system32\lsass.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005976Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:20:34.995{B364217D-645B-5FCE-0000-001068580800}5008C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1390-0\System.dll2020-12-07 17:20:34.995 13241300x80000000000000006428Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:36.871{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312S-1-5-21-2034510999-1345200767-2897500970-500v2.26|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|C=S-1-15-3-1|C=S-1-15-3-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|M=microsoft.lockapp_cw5n1h2txyewy|Name=@{Microsoft.LockApp_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|D=C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\|PFN=Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy| 13241300x80000000000000006427Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:36.839{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{9A18D857-7B6A-469D-B408-09136923D99C}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Platform=2:6:2|Platform2=GTEQ| 13241300x80000000000000006426Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:36.839{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{7B4A2F3D-EBAC-443A-BACE-28005DDB61D4}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}| 13241300x80000000000000006425Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:36.839{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{22B245CD-CED9-4298-A4F6-D9D386D7963A}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}| 13241300x80000000000000006424Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:36.839{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{5360DA75-42FA-4CFD-87A3-58548CCBC6C2}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}| 13241300x80000000000000006423Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:36.824{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742S-1-5-21-2034510999-1345200767-2897500970-500v2.26|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|C=S-1-15-3-1|C=S-1-15-3-2|C=S-1-15-3-3|C=S-1-15-3-4|C=S-1-15-3-6|C=S-1-15-3-8|C=S-1-15-3-9|C=S-1-15-3-787448254-1207972858-3558633622-1059886964|C=S-1-15-3-3215430884-1339816292-89257616-1145831019|C=S-1-15-3-3071617654-1314403908-1117750160-3581451107|C=S-1-15-3-593192589-1214558892-284007604-3553228420|C=S-1-15-3-3870101518-1154309966-1696731070-4111764952|C=S-1-15-3-2105443330-1210154068-4021178019-2481794518|C=S-1-15-3-2345035983-1170044712-735049875-2883010875|C=S-1-15-3-3633849274-1266774400-1199443125-2736873758|C=S-1-15-3-2569730672-1095266119-53537203-1209375796|C=S-1-15-3-2569730672-1095266119-53537203-1209375796|C=S-1-15-3-2452736844-1257488215-2818397580-3305426111|C=S-1-15-3-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|M=microsoft.windows.cortana_cw5n1h2txyewy|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|D=C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\|PFN=Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy| 10341000x80000000000000006422Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.808{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006421Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.808{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006420Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.808{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006419Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.808{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000006418Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:36.808{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{8CF920AD-6A1A-4F9C-BD8E-51D7AD53955C}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|Edge=TRUE| 10341000x80000000000000006417Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.808{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000006416Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:36.808{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{E01895E0-CF75-4669-AE82-8296DDA19ADE}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ| 10341000x80000000000000006415Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.808{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000006414Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:36.808{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{A2FE52FC-613F-4899-B8EE-06000CBDD10E}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-2)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}| 13241300x80000000000000006413Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:36.808{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{93C8EABB-3365-4343-9090-A7C1B2FFACF5}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-2)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}| 13241300x80000000000000006412Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:36.808{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{4C1EF86C-51AA-4B81-A471-95D4B891B9EE}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Security=Authenticate| 13241300x80000000000000006411Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:36.808{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{8D3E5741-B435-462A-B8D0-C0D5F0CB55B0}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Security=Authenticate| 10341000x80000000000000006410Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.808{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006409Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.808{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006408Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.808{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000006407Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:36.808{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{2719145F-D0C2-4271-8847-70FB26FE9222}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}| 10341000x80000000000000006406Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.792{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006405Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.792{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000006404Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:36.808{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{52DEF3DC-CEED-43F0-8D25-3F5BAAC1C30B}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}| 10341000x80000000000000006403Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.792{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006402Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.792{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006401Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.792{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006400Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.792{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006399Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.792{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006398Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.792{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000006397Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:36.792{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{59EC7F41-ECA0-4393-8859-1A966BE1B493}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}| 10341000x80000000000000006396Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.792{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000006395Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:36.792{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{B9B7A490-7DDD-49E5-BF5A-E5B03572EB49}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}| 10341000x80000000000000006394Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.792{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006393Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.792{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006392Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.792{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006391Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.792{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006390Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.792{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006389Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.792{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006388Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.792{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006387Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.761{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006386Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.761{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006385Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.730{B364217D-6462-5FCE-0000-00104B090A00}56925728C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-0010EAFF0900}5628C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114786|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006384Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.714{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006383Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.714{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006382Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.714{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006381Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.714{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006380Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.714{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006379Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.714{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006378Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.714{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006377Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.714{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006376Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.714{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006375Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.714{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006374Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.714{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006373Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.714{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006372Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.714{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006371Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.714{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006370Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.714{B364217D-61FE-5FCE-0000-0010D5C80000}12481388C:\Windows\System32\svchost.exe{B364217D-61FE-5FCE-0000-001037C40000}1204C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+1969|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006369Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.714{B364217D-61FE-5FCE-0000-0010D5C80000}12481388C:\Windows\System32\svchost.exe{B364217D-61FE-5FCE-0000-001037C40000}1204C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\ncbservice.dll+165c|c:\windows\system32\ncbservice.dll+227a|c:\windows\system32\ncbservice.dll+205e|c:\windows\system32\ncbservice.dll+1bdb|c:\windows\system32\ncbservice.dll+181b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006368Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.714{B364217D-61FE-5FCE-0000-0010D5C80000}12481388C:\Windows\System32\svchost.exe{B364217D-61FE-5FCE-0000-001037C40000}1204C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+17cf|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006367Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.714{B364217D-61FE-5FCE-0000-0010D5C80000}12481388C:\Windows\System32\svchost.exe{B364217D-61FE-5FCE-0000-001037C40000}1204C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+2e77|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006366Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.699{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006365Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.699{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006364Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.699{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006363Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.699{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006362Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.699{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006361Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.699{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006360Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.699{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006359Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.699{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006358Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.699{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006357Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.699{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006356Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.699{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006355Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.699{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006354Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.699{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000006353Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:36.652{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633S-1-5-21-2034510999-1345200767-2897500970-500v2.26|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|C=S-1-15-3-1|C=S-1-15-3-9|C=S-1-15-3-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|M=microsoft.accountscontrol_cw5n1h2txyewy|Name=@{Microsoft.AccountsControl_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|D=C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\|PFN=Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy| 13241300x80000000000000006352Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:36.636{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{DA14A191-A335-4E1E-9ECD-2BB51E8EC8CE}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ| 13241300x80000000000000006351Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:36.636{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{E3C91AFD-93CD-46A9-964A-4601E7017A4B}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}| 13241300x80000000000000006350Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:36.636{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{0D8721AC-64C9-48BB-888D-51A76881191A}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}| 13241300x80000000000000006349Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:36.636{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{9570027C-DA6F-43C9-B060-1C0743DC22C8}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}| 10341000x80000000000000006348Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.605{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006347Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.605{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006346Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.605{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006345Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.605{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006344Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.605{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006343Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.605{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006342Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.605{B364217D-61FE-5FCE-0000-0010D5C80000}12481388C:\Windows\System32\svchost.exe{B364217D-61FE-5FCE-0000-001037C40000}1204C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+2e77|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006341Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.605{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006340Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.605{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006339Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.605{B364217D-61FC-5FCE-0000-001019540000}856896C:\Windows\system32\lsass.exe{B364217D-61FC-5FCE-0000-00103B530000}848C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006338Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.605{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006337Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.605{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006336Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.605{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006335Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.605{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006334Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.605{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006333Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.605{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006332Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.605{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006331Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.605{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006330Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.605{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006329Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.605{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006328Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.605{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006327Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.605{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006326Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.589{B364217D-61FC-5FCE-0000-001019540000}856896C:\Windows\system32\lsass.exe{B364217D-6461-5FCE-0000-0010AF940900}4520C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006325Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.589{B364217D-61FC-5FCE-0000-001019540000}856896C:\Windows\system32\lsass.exe{B364217D-6461-5FCE-0000-0010AF940900}4520C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006324Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.589{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006323Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.589{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006322Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.589{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006321Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.589{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006320Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.589{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006319Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.589{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006318Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.589{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006317Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.574{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006316Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.559{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006315Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.559{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006314Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.527{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006313Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.527{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006312Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.527{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006311Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.527{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006310Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.527{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006309Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.527{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006308Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.527{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006307Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.527{B364217D-6462-5FCE-0000-00104B090A00}56925728C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-0010EAFF0900}5628C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114786|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006306Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.511{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006305Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.511{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006304Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.511{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006303Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.511{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006302Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.511{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006301Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.511{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006300Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.511{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006299Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.511{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006298Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.511{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006297Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.511{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006296Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.511{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006295Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.511{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006294Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.511{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006293Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.495{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006292Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.495{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006291Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.495{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006290Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.495{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006289Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.495{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006288Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.495{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006287Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.495{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006286Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.495{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006285Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.495{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006284Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.495{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006283Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.495{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006282Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.495{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006281Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.495{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006280Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.495{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006279Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.495{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006278Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.495{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006277Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.495{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006276Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.495{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006275Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.495{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006274Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.495{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006273Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.495{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006272Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.495{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006271Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.495{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006270Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.495{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006269Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.495{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006268Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.495{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006267Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.495{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006266Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.495{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006265Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.495{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006264Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.495{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006263Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.480{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006262Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.480{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006261Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.480{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006260Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.480{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006259Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.480{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006258Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.480{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006257Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.480{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006256Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.480{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006255Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.480{B364217D-6461-5FCE-0000-0010058A0900}18202216C:\Windows\System32\RuntimeBroker.exe{B364217D-6461-5FCE-0000-0010AF940900}4520C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\TokenBroker.dll+1acfa|C:\Windows\System32\TokenBroker.dll+1d475|C:\Windows\System32\TokenBroker.dll+1d7f9|C:\Windows\System32\TokenBroker.dll+1e8f3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+5086c|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x80000000000000006254Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.480{B364217D-6461-5FCE-0000-0010058A0900}18202216C:\Windows\System32\RuntimeBroker.exe{B364217D-6461-5FCE-0000-0010AF940900}4520C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\TokenBroker.dll+21886|C:\Windows\System32\TokenBroker.dll+1ac23|C:\Windows\System32\TokenBroker.dll+1d475|C:\Windows\System32\TokenBroker.dll+1d7f9|C:\Windows\System32\TokenBroker.dll+1e8f3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+5086c|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000006253Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.449{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006252Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.449{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006251Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.449{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006250Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.449{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006249Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.449{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006248Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.449{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006247Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.449{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006246Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.433{B364217D-6462-5FCE-0000-00104B090A00}56925728C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-0010EAFF0900}5628C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114786|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006245Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.433{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006244Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.433{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006243Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.433{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006242Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.417{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006241Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.417{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006240Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.417{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006239Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.417{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006238Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.417{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006237Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.417{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006236Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.417{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006235Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.402{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006234Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.402{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006233Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.402{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006232Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.402{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006231Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.402{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006230Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.402{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006229Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.402{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006228Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.402{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006227Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.402{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006226Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.402{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006225Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.402{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006224Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.402{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006223Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.402{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006222Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.402{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006221Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.402{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006220Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.402{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006219Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.402{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006218Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.402{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006217Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.402{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006216Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.402{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x80000000000000006215Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:34.338{B364217D-6457-5FCE-0000-001038080800}4700win-dc-692.attackrange.local0fe80::31f6:3ddb:dc7:b397;::ffff:10.0.1.14;C:\Windows\System32\taskhostw.exe 13241300x80000000000000006214Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:36.120{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708S-1-5-21-2034510999-1345200767-2897500970-500v2.26|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|C=S-1-15-3-1|C=S-1-15-3-4|C=S-1-15-3-15993189-1149757597-3280441496-4094800555|C=S-1-15-3-139472938-1339732804-1469114779-4031155563|C=S-1-15-3-1849407097-1086866290-155560606-3624675039|C=S-1-15-3-2015030808-1290041139-4103196845-2461361948|C=S-1-15-3-2973957182-1175190094-721927306-1883016034|C=S-1-15-3-3633849274-1266774400-1199443125-2736873758|C=S-1-15-3-2105443330-1210154068-4021178019-2481794518|C=S-1-15-3-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|M=microsoft.windows.shellexperiencehost_cw5n1h2txyewy|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|D=C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\|PFN=Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy| 13241300x80000000000000006213Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:36.120{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{8950A88B-8B34-49C3-8E1C-186D75F0753E}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ| 13241300x80000000000000006212Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:36.120{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{5DC6F840-0E84-45C1-8068-55856FE120BD}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}| 13241300x80000000000000006211Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:36.120{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{F96ED234-040D-4F24-B635-15AA768BE0E4}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}| 13241300x80000000000000006210Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:36.120{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{3E77E969-52E1-4024-8AA9-2E7FCC13DAC3}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}| 10341000x80000000000000006209Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.042{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006208Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.042{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006207Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.027{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006206Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.027{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006205Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.027{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006204Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.027{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006203Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.027{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006202Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.027{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006201Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.027{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006200Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.027{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006199Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.027{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006198Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.027{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006197Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.027{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006196Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.027{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006195Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.027{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006194Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.027{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006193Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.027{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006192Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.027{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006191Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.011{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006190Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.011{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006189Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.011{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006188Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.011{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006187Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.011{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006186Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.011{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006185Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.011{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006184Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.995{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006183Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:35.995{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006806Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.964{B364217D-645F-5FCE-0000-0010EA600800}42163292C:\Windows\system32\csrss.exe{B364217D-6465-5FCE-0000-00104C070B00}3312C:\Windows\System32\ie4uinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006805Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.964{B364217D-6461-5FCE-0000-001072CC0900}55125516C:\Windows\Explorer.EXE{B364217D-6465-5FCE-0000-00104C070B00}3312C:\Windows\System32\ie4uinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+13755f|C:\Windows\System32\windows.storage.dll+1371d5|C:\Windows\System32\windows.storage.dll+136cc6|C:\Windows\System32\windows.storage.dll+138138|C:\Windows\System32\windows.storage.dll+136aee|C:\Windows\System32\windows.storage.dll+10a3b5|C:\Windows\System32\windows.storage.dll+10a734|C:\Windows\System32\windows.storage.dll+109d70|C:\Windows\System32\windows.storage.dll+1241fa|C:\Windows\System32\windows.storage.dll+123f5a|C:\Windows\System32\SHELL32.dll+77991|C:\Windows\System32\SHELL32.dll+767f6|C:\Windows\System32\SHELL32.dll+110821|C:\Windows\System32\SHELL32.dll+7888e|C:\Windows\System32\SHELL32.dll+552284|C:\Windows\System32\SHELL32.dll+551ce0|C:\Windows\System32\SHELL32.dll+551e54|C:\Windows\System32\SHELL32.dll+234591|C:\Windows\System32\SHELL32.dll+23444c|C:\Windows\System32\SHELL32.dll+1234a1 10341000x80000000000000006804Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.949{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006803Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.949{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006802Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.949{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006801Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.949{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006800Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.957{B364217D-6465-5FCE-0000-00104C070B00}3312C:\Windows\System32\ie4uinit.exe11.00.14393.2999 (rs1_release_inmarket.190520-1518)IE Per-User Initialization UtilityInternet ExplorerMicrosoft CorporationIE4UINIT.EXE"C:\Windows\System32\ie4uinit.exe" -UserConfigC:\Windows\system32\ATTACKRANGE\Administrator{B364217D-6460-5FCE-0000-0020BD420900}0x942bd2HighMD5=8450580ADC40581006B7233F2B2803EB,SHA256=DD7FE0DBD6BD3B66437C093B707D1B2CA8AC72E4671B88829A4327FA6B8A00BD,IMPHASH=A9F54FA8B3C0ECA158788E684C66CA9A{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x80000000000000006799Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.839{B364217D-6461-5FCE-0000-0010D0970900}31525316C:\Windows\system32\taskhostw.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006798Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.574{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006797Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.574{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006796Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.574{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006795Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.574{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006794Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.574{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006793Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.574{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006792Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.574{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006791Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.574{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006790Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.574{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006789Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.574{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006788Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.574{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006787Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.574{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006786Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.574{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006785Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.574{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006784Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.574{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006783Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.574{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006782Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.574{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006781Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.574{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006780Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.574{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006779Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.574{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006778Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.574{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006777Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.574{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006776Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.574{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006775Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.574{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006774Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.574{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006773Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.574{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006772Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.574{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006771Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.542{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006770Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.542{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006769Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.542{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006768Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.542{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006767Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.542{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006766Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.542{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006765Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.542{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006764Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.527{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006763Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.527{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006762Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.495{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006761Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.495{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006760Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.495{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006759Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.495{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006758Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.495{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006757Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.495{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006756Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.495{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006755Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.495{B364217D-6462-5FCE-0000-00104B090A00}56925728C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-0010EAFF0900}5628C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114786|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006754Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.495{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006753Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.495{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006752Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.495{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006751Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.495{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006750Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.495{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006749Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.495{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006748Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.495{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006747Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.495{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006746Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.495{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006745Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.495{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006744Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.495{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006743Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.495{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006742Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.495{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006741Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.495{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006740Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.480{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006739Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.480{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006738Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.480{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006737Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.480{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006736Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.480{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006735Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.480{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006734Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.480{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006733Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.480{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006732Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.480{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006731Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.480{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006730Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.480{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006729Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.480{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006728Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.480{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006727Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.464{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006726Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.464{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006725Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.464{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006724Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.464{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006723Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.464{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006722Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.464{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006721Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.464{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006720Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.464{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006719Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.464{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006718Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.464{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006717Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.464{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006716Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.464{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006715Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.464{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006714Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.464{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006713Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.464{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006712Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.464{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006711Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.464{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006710Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.464{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006709Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.464{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006708Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.464{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000006707Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:37.449{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493S-1-5-21-2034510999-1345200767-2897500970-500v2.26|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|C=S-1-15-3-1|C=S-1-15-3-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|M=microsoft.xboxgamecallableui_cw5n1h2txyewy|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|D=C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\|PFN=Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy| 13241300x80000000000000006706Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:37.449{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{1BC9ACA1-7786-4DC1-946B-52D04B91F73D}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ| 13241300x80000000000000006705Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:37.449{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{DB6F51EE-1CE4-46AC-9025-9E4D40536342}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}| 13241300x80000000000000006704Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:37.433{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{8483FB62-A86A-448F-909E-015BFDF96B1F}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}| 13241300x80000000000000006703Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:37.433{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{D8CA1149-1D74-4F28-A1F9-B356B47EB960}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}| 10341000x80000000000000006702Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.417{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006701Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.417{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006700Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.417{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006699Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.417{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006698Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.417{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006697Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.417{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006696Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.417{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006695Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.417{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006694Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.417{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006693Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.417{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006692Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.417{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006691Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.417{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006690Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.402{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006689Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.402{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006688Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.402{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006687Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.402{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006686Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.402{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006685Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.402{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006684Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.402{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006683Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.402{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006682Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.402{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006681Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.402{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006680Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.402{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006679Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.402{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006678Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.402{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006677Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.386{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006676Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.386{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006675Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.355{B364217D-6462-5FCE-0000-00104B090A00}56925728C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-0010EAFF0900}5628C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114786|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006674Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.355{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006673Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.355{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006672Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.355{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006671Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.355{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006670Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.355{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006669Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.355{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006668Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.355{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006667Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.324{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006666Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.324{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006665Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.324{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006664Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.324{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006663Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.324{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006662Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.324{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006661Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.324{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006660Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.324{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006659Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.324{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006658Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.324{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006657Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.324{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006656Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.324{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006655Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.324{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006654Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.324{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006653Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.324{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006652Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.324{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006651Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.324{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006650Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.324{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006649Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.324{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006648Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.324{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006647Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.324{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006646Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.324{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006645Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.324{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006644Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.324{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006643Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.324{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006642Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.324{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006641Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.324{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006640Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.324{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006639Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.324{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000006638Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:37.308{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-2572118008-3077471215-3128327636-2598586217-811314952-2132569887-2279274531S-1-5-21-2034510999-1345200767-2897500970-500v2.26|AppPkgId=S-1-15-2-2572118008-3077471215-3128327636-2598586217-811314952-2132569887-2279274531|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|C=S-1-15-3-2572118008-3077471215-3128327636-2598586217-811314952-2132569887-2279274531|M=microsoft.windows.secondarytileexperience_cw5n1h2txyewy|Name=SecondaryTileExperience|Desc=SecondaryTileExperience|D=C:\Windows\SystemApps\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\|PFN=Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy| 13241300x80000000000000006637Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:37.308{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{F518D4F7-41F3-4FBB-BDB8-4BF52D1EB843}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=SecondaryTileExperience|Desc=SecondaryTileExperience|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-2572118008-3077471215-3128327636-2598586217-811314952-2132569887-2279274531|EmbedCtxt=SecondaryTileExperience| 13241300x80000000000000006636Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:37.308{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{918DFDB2-764B-47BA-AF30-7F2D2B4B30E0}v2.26|Action=Block|Active=TRUE|Dir=In|Name=SecondaryTileExperience|Desc=SecondaryTileExperience|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-2572118008-3077471215-3128327636-2598586217-811314952-2132569887-2279274531|EmbedCtxt=SecondaryTileExperience| 10341000x80000000000000006635Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.292{B364217D-6462-5FCE-0000-00104B090A00}56925728C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-0010EAFF0900}5628C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114786|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006634Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.277{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006633Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.277{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006632Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.277{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006631Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.277{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006630Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.277{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006629Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.277{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006628Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.277{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006627Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.277{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006626Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.277{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006625Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.277{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006624Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.277{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006623Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.277{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006622Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.277{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006621Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.277{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006620Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.277{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006619Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.277{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006618Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.277{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006617Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.277{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006616Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.277{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006615Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.277{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006614Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.277{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006613Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.277{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006612Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.277{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006611Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.277{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006610Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.277{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006609Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.277{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006608Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.277{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006607Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.277{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006606Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.277{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006605Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.277{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006604Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.277{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006603Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.277{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006602Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.261{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006601Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.261{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006600Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.261{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006599Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.261{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006598Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.261{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006597Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.261{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006596Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.261{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006595Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.261{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006594Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.261{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006593Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.261{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006592Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.261{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006591Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.261{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006590Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.261{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006589Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.261{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006588Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.261{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006587Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.261{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006586Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.261{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006585Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.261{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006584Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.261{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006583Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.261{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006582Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.245{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006581Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.245{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000006580Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:37.230{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-2705751783-1496458293-2835996032-3143071717-1071345625-677459937-2760321769S-1-5-21-2034510999-1345200767-2897500970-500v2.26|AppPkgId=S-1-15-2-2705751783-1496458293-2835996032-3143071717-1071345625-677459937-2760321769|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|C=S-1-15-3-2705751783-1496458293-2835996032-3143071717-1071345625-677459937-2760321769|M=microsoft.windows.assignedaccesslockapp_cw5n1h2txyewy|Name=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDisplayName}|Desc=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDescription}|D=C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\|PFN=Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy| 13241300x80000000000000006579Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:37.230{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{687EB857-A525-40F0-8316-AAA892EA5FE7}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDisplayName}|Desc=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDescription}|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-2705751783-1496458293-2835996032-3143071717-1071345625-677459937-2760321769|EmbedCtxt=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDisplayName}| 13241300x80000000000000006578Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:37.230{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{675220ED-A65E-4594-B363-EAAFB28EB8BF}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDisplayName}|Desc=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDescription}|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-2705751783-1496458293-2835996032-3143071717-1071345625-677459937-2760321769|EmbedCtxt=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDisplayName}| 10341000x80000000000000006577Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.214{B364217D-6462-5FCE-0000-00104B090A00}56925728C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-0010EAFF0900}5628C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114786|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006576Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.199{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006575Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.199{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006574Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.199{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006573Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.199{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006572Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.199{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006571Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.199{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006570Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.199{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006569Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.199{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006568Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.199{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006567Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.199{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006566Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.199{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006565Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.199{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006564Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.199{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006563Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.199{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006562Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.199{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006561Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.199{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006560Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.199{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006559Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.199{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006558Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.199{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006557Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.199{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006556Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.199{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006555Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.199{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006554Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.199{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006553Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.199{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006552Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.199{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006551Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.199{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006550Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.199{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006549Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.199{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006548Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.199{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006547Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.199{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006546Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.199{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006545Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.199{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006544Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.199{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006543Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.199{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006542Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.199{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006541Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.199{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006540Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.199{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006539Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.199{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006538Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.199{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006537Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.183{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006536Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.183{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006535Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.183{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006534Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.183{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006533Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.183{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006532Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.183{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006531Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.183{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006530Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.183{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006529Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.183{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006528Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.183{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006527Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.183{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006526Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.183{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006525Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.183{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006524Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.152{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006523Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.152{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000006522Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:37.142{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706S-1-5-21-2034510999-1345200767-2897500970-500v2.26|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|C=S-1-15-3-1|C=S-1-15-3-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|M=microsoft.windows.apprep.chxapp_cw5n1h2txyewy|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|D=C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\|PFN=Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy| 13241300x80000000000000006521Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:37.120{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{33DDB867-C075-4C51-8C3F-00F7F3C4EC99}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ| 13241300x80000000000000006520Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:37.120{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{3212E8AC-89F8-4EDA-A0B3-4368CF8FB5B9}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}| 13241300x80000000000000006519Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:37.120{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{FDAA2BED-FCB5-4180-8599-86E006A7793A}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}| 13241300x80000000000000006518Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:37.120{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{989F4D19-9608-4512-9DB9-E0821A7D789F}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}| 10341000x80000000000000006517Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.120{B364217D-6462-5FCE-0000-00104B090A00}56925728C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-0010EAFF0900}5628C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114786|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006516Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.105{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006515Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.105{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006514Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.105{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006513Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.105{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006512Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.105{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006511Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.105{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006510Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.105{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006509Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.089{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006508Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.089{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006507Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.089{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006506Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.089{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006505Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.089{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006504Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.089{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006503Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.089{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006502Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.089{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006501Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.089{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006500Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.089{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006499Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.089{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006498Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.089{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006497Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.089{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006496Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.089{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006495Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.089{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006494Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.089{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006493Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.089{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006492Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.089{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006491Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.089{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006490Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.089{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006489Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.089{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006488Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.089{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006487Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.089{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006486Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.089{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006485Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.089{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006484Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.089{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006483Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.089{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006482Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.089{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006481Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.089{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006480Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.089{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006479Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.089{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006478Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.089{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006477Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.074{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006476Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.074{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006475Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.074{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006474Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.074{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006473Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.074{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006472Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.074{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006471Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.074{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006470Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.027{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006469Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.027{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006468Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:37.011{B364217D-6462-5FCE-0000-00104B090A00}56925728C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-0010EAFF0900}5628C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114786|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006467Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.995{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006466Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.980{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006465Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.980{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006464Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.980{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006463Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.980{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006462Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.980{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006461Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.980{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006460Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.980{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006459Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.980{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006458Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.980{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006457Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.980{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006456Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.980{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006455Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.980{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006454Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.980{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006453Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.969{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006452Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.969{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006451Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.969{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006450Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.969{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006449Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.969{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006448Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.969{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006447Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.969{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006446Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.955{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006445Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.955{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006444Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.955{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006443Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.955{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006442Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.955{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006441Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.955{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006440Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.955{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006439Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.955{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006438Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.955{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006437Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.955{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006436Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.955{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006435Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.955{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006434Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.933{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006433Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.933{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006432Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.933{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006431Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.933{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006430Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.933{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006429Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:36.933{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006843Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:38.855{B364217D-61FC-5FCE-0000-001019540000}856100C:\Windows\system32\lsass.exe{B364217D-6466-5FCE-0000-001016160B00}2528C:\Windows\system32\RunDll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006842Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:38.855{B364217D-61FC-5FCE-0000-001019540000}856100C:\Windows\system32\lsass.exe{B364217D-6466-5FCE-0000-001016160B00}2528C:\Windows\system32\RunDll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006841Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:38.839{B364217D-61FE-5FCE-0000-00102EBA0000}11361232C:\Windows\system32\svchost.exe{B364217D-6466-5FCE-0000-001016160B00}2528C:\Windows\system32\RunDll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006840Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:38.839{B364217D-61FE-5FCE-0000-00102EBA0000}11361624C:\Windows\system32\svchost.exe{B364217D-6466-5FCE-0000-001016160B00}2528C:\Windows\system32\RunDll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006839Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:38.839{B364217D-61FC-5FCE-0000-001019540000}856100C:\Windows\system32\lsass.exe{B364217D-6466-5FCE-0000-0010C0150B00}1984C:\Windows\system32\RunDll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006838Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:38.839{B364217D-61FC-5FCE-0000-001019540000}856100C:\Windows\system32\lsass.exe{B364217D-6466-5FCE-0000-0010C0150B00}1984C:\Windows\system32\RunDll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006837Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:38.839{B364217D-61FE-5FCE-0000-00102EBA0000}11361232C:\Windows\system32\svchost.exe{B364217D-6466-5FCE-0000-0010C0150B00}1984C:\Windows\system32\RunDll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006836Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:38.839{B364217D-61FE-5FCE-0000-00102EBA0000}11361624C:\Windows\system32\svchost.exe{B364217D-6466-5FCE-0000-0010C0150B00}1984C:\Windows\system32\RunDll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006835Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:38.839{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006834Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:38.839{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006833Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:38.839{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006832Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:38.839{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006831Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:38.839{B364217D-645F-5FCE-0000-0010EA600800}42163292C:\Windows\system32\csrss.exe{B364217D-6466-5FCE-0000-001016160B00}2528C:\Windows\system32\RunDll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006830Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:38.839{B364217D-6466-5FCE-0000-001023100B00}13004328C:\Windows\System32\ie4uinit.exe{B364217D-6466-5FCE-0000-001016160B00}2528C:\Windows\system32\RunDll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+1845f|C:\Windows\system32\migration\WininetPlugin.dll+2b25|C:\Windows\system32\migration\WininetPlugin.dll+1e44|C:\Windows\system32\migration\WininetPlugin.dll+176c|C:\Windows\System32\ie4uinit.exe+2b3c|C:\Windows\System32\ie4uinit.exe+33b8|C:\Windows\System32\ie4uinit.exe+245e7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006829Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:38.839{B364217D-6466-5FCE-0000-001016160B00}2528C:\Windows\System32\rundll32.exe10.0.14393.0 (rs1_release.160715-1616)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0C:\Windows\system32\ATTACKRANGE\Administrator{B364217D-6460-5FCE-0000-0020BD420900}0x942bd2MediumMD5=C7645D43451C6D94D87F4D07BDE59C89,SHA256=495BBA47FC43EE23054FCD419F2F00457162D1C04296900C6AEA551102A810F3,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{B364217D-6466-5FCE-0000-001023100B00}1300C:\Windows\System32\ie4uinit.exeC:\Windows\System32\ie4uinit.exe -ClearIconCache 10341000x80000000000000006828Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:38.823{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006827Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:38.823{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006826Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:38.823{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006825Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:38.823{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006824Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:38.823{B364217D-645F-5FCE-0000-0010EA600800}42163868C:\Windows\system32\csrss.exe{B364217D-6466-5FCE-0000-0010C0150B00}1984C:\Windows\system32\RunDll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006823Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:38.823{B364217D-6466-5FCE-0000-001023100B00}13004328C:\Windows\System32\ie4uinit.exe{B364217D-6466-5FCE-0000-0010C0150B00}1984C:\Windows\system32\RunDll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+1845f|C:\Windows\system32\migration\WininetPlugin.dll+2b25|C:\Windows\system32\migration\WininetPlugin.dll+1e44|C:\Windows\system32\migration\WininetPlugin.dll+1743|C:\Windows\System32\ie4uinit.exe+2b3c|C:\Windows\System32\ie4uinit.exe+33b8|C:\Windows\System32\ie4uinit.exe+245e7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006822Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:38.837{B364217D-6466-5FCE-0000-0010C0150B00}1984C:\Windows\System32\rundll32.exe10.0.14393.0 (rs1_release.160715-1616)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0C:\Windows\system32\ATTACKRANGE\Administrator{B364217D-6460-5FCE-0000-0020BD420900}0x942bd2LowMD5=C7645D43451C6D94D87F4D07BDE59C89,SHA256=495BBA47FC43EE23054FCD419F2F00457162D1C04296900C6AEA551102A810F3,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{B364217D-6466-5FCE-0000-001023100B00}1300C:\Windows\System32\ie4uinit.exeC:\Windows\System32\ie4uinit.exe -ClearIconCache 10341000x80000000000000006821Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:38.620{B364217D-61FC-5FCE-0000-001019540000}856100C:\Windows\system32\lsass.exe{B364217D-6466-5FCE-0000-001023100B00}1300C:\Windows\System32\ie4uinit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006820Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:38.620{B364217D-61FC-5FCE-0000-001019540000}856100C:\Windows\system32\lsass.exe{B364217D-6466-5FCE-0000-001023100B00}1300C:\Windows\System32\ie4uinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006819Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:38.542{B364217D-61FE-5FCE-0000-00102EBA0000}11361232C:\Windows\system32\svchost.exe{B364217D-6466-5FCE-0000-001023100B00}1300C:\Windows\System32\ie4uinit.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006818Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:38.542{B364217D-61FE-5FCE-0000-00102EBA0000}11361624C:\Windows\system32\svchost.exe{B364217D-6466-5FCE-0000-001023100B00}1300C:\Windows\System32\ie4uinit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006817Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:38.527{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006816Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:38.527{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006815Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:38.527{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006814Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:38.527{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006813Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:38.527{B364217D-645F-5FCE-0000-0010EA600800}42163868C:\Windows\system32\csrss.exe{B364217D-6457-5FCE-0000-00100F090800}1300C:\Windows\System32\ie4uinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006812Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:38.527{B364217D-6465-5FCE-0000-00104C070B00}33122480C:\Windows\System32\ie4uinit.exe{B364217D-6457-5FCE-0000-00100F090800}1300C:\Windows\System32\ie4uinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ie4uinit.exe+2d19|C:\Windows\System32\ie4uinit.exe+33b8|C:\Windows\System32\ie4uinit.exe+245e7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006811Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:38.532{B364217D-6466-5FCE-0000-001023100B00}1300C:\Windows\System32\ie4uinit.exe11.00.14393.2999 (rs1_release_inmarket.190520-1518)IE Per-User Initialization UtilityInternet ExplorerMicrosoft CorporationIE4UINIT.EXEC:\Windows\System32\ie4uinit.exe -ClearIconCacheC:\Windows\system32\ATTACKRANGE\Administrator{B364217D-6460-5FCE-0000-0020BD420900}0x942bd2HighMD5=8450580ADC40581006B7233F2B2803EB,SHA256=DD7FE0DBD6BD3B66437C093B707D1B2CA8AC72E4671B88829A4327FA6B8A00BD,IMPHASH=A9F54FA8B3C0ECA158788E684C66CA9A{B364217D-6465-5FCE-0000-00104C070B00}3312C:\Windows\System32\ie4uinit.exe"C:\Windows\System32\ie4uinit.exe" -UserConfig 10341000x80000000000000006810Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:38.245{B364217D-61FE-5FCE-0000-00102EBA0000}11361232C:\Windows\system32\svchost.exe{B364217D-6465-5FCE-0000-00104C070B00}3312C:\Windows\System32\ie4uinit.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006809Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:38.245{B364217D-61FE-5FCE-0000-00102EBA0000}11361624C:\Windows\system32\svchost.exe{B364217D-6465-5FCE-0000-00104C070B00}3312C:\Windows\System32\ie4uinit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006808Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:38.074{B364217D-61FE-5FCE-0000-00102EBA0000}11361232C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\shsvcs.dll+11f99|c:\windows\system32\shsvcs.dll+11ba6|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000006807Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:38.074{B364217D-61FE-5FCE-0000-00102EBA0000}11361232C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x101068C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\shsvcs.dll+11f27|c:\windows\system32\shsvcs.dll+11ba6|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000006844Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:39.183{B364217D-61FE-5FCE-0000-0010F9A90000}9921576C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006851Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:41.839{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6469-5FCE-0000-001048440B00}1256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006850Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:41.823{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6461-5FCE-0000-0010A3760900}1256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006849Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:41.823{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6461-5FCE-0000-0010A3760900}1256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006848Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:41.683{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6469-5FCE-0000-0010CA400B00}5332C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006847Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:41.683{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6469-5FCE-0000-0010CA400B00}5332C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006846Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:41.683{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6469-5FCE-0000-0010CA400B00}5332C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006845Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:20:41.527{B364217D-6463-5FCE-0000-0010E7240A00}5912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1718-0\System.Xml.dll2020-12-07 17:20:41.527 10341000x80000000000000006857Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:42.980{B364217D-61FC-5FCE-0000-001019540000}856896C:\Windows\system32\lsass.exe{B364217D-6465-5FCE-0000-00104C070B00}3312C:\Windows\System32\ie4uinit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006856Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:42.980{B364217D-61FC-5FCE-0000-001019540000}856896C:\Windows\system32\lsass.exe{B364217D-6465-5FCE-0000-00104C070B00}3312C:\Windows\System32\ie4uinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000006855Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localInvDB-DriverVerSetValue2020-12-07 17:20:42.480{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exe\REGISTRY\A\{ceab55d6-acb1-68fa-b587-422bd3152e7e}\Root\InventoryDevicePnp\swd/scdeviceenumbus/1\DriverVerVersion10.0.14393.0 13241300x80000000000000006854Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localInvDB-DriverVerSetValue2020-12-07 17:20:42.480{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exe\REGISTRY\A\{ceab55d6-acb1-68fa-b587-422bd3152e7e}\Root\InventoryDevicePnp\swd/scdeviceenumbus/0\DriverVerVersion10.0.14393.0 13241300x80000000000000006853Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localInvDB-DriverVerSetValue2020-12-07 17:20:42.480{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exe\REGISTRY\A\{ceab55d6-acb1-68fa-b587-422bd3152e7e}\Root\InventoryDevicePnp\terminput_bus/umb/2&2c22bcc9&0&session2mouse0\DriverVerVersion10.0.14393.0 13241300x80000000000000006852Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localInvDB-DriverVerSetValue2020-12-07 17:20:42.464{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exe\REGISTRY\A\{ceab55d6-acb1-68fa-b587-422bd3152e7e}\Root\InventoryDevicePnp\terminput_bus/umb/2&2c22bcc9&0&session2keyboard0\DriverVerVersion10.0.14393.0 11241100x80000000000000006858Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:43.339{B364217D-6465-5FCE-0000-00104C070B00}3312C:\Windows\System32\ie4uinit.exeC:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\brndlog.txt2020-12-07 16:00:30.189 10341000x80000000000000006879Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:44.526{B364217D-61FE-5FCE-0000-00102EBA0000}11362236C:\Windows\system32\svchost.exe{B364217D-646C-5FCE-0000-00104F6B0B00}5824C:\Windows\System32\unregmp2.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006878Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:44.526{B364217D-61FE-5FCE-0000-00102EBA0000}11361624C:\Windows\system32\svchost.exe{B364217D-646C-5FCE-0000-00104F6B0B00}5824C:\Windows\System32\unregmp2.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006877Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:44.495{B364217D-645F-5FCE-0000-0010EA600800}42163324C:\Windows\system32\csrss.exe{B364217D-646C-5FCE-0000-00104F6B0B00}5824C:\Windows\System32\unregmp2.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006876Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:44.495{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006875Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:44.495{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006874Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:44.495{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006873Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:44.495{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006872Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:44.495{B364217D-6461-5FCE-0000-001072CC0900}55125516C:\Windows\Explorer.EXE{B364217D-646C-5FCE-0000-00104F6B0B00}5824C:\Windows\System32\unregmp2.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+13755f|C:\Windows\System32\windows.storage.dll+1371d5|C:\Windows\System32\windows.storage.dll+136cc6|C:\Windows\System32\windows.storage.dll+138138|C:\Windows\System32\windows.storage.dll+136aee|C:\Windows\System32\windows.storage.dll+10a3b5|C:\Windows\System32\windows.storage.dll+10a734|C:\Windows\System32\windows.storage.dll+109d70|C:\Windows\System32\windows.storage.dll+1241fa|C:\Windows\System32\windows.storage.dll+123f5a|C:\Windows\System32\SHELL32.dll+77991|C:\Windows\System32\SHELL32.dll+767f6|C:\Windows\System32\SHELL32.dll+110821|C:\Windows\System32\SHELL32.dll+7888e|C:\Windows\System32\SHELL32.dll+552284|C:\Windows\System32\SHELL32.dll+551ce0|C:\Windows\System32\SHELL32.dll+551e54|C:\Windows\System32\SHELL32.dll+234591|C:\Windows\System32\SHELL32.dll+110c45|C:\Windows\System32\SHELL32.dll+1234a1 154100x80000000000000006871Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:44.502{B364217D-646C-5FCE-0000-00104F6B0B00}5824C:\Windows\System32\unregmp2.exe12.0.14393.2551 (rs1_release.181004-1309)Microsoft Windows Media Player Setup UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationunregmp2.exe"C:\Windows\System32\unregmp2.exe" /FirstLogonC:\Windows\system32\ATTACKRANGE\Administrator{B364217D-6460-5FCE-0000-0020BD420900}0x942bd2HighMD5=B9F03D42E2D49747FD518412E0AEB09D,SHA256=DEBA397177C965811E35B502D515956CC419781233334FB47CEFDA850021F216,IMPHASH=DFC94E57160B0CE8835243B5D92F3D9E{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x80000000000000006870Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:44.448{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006869Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:44.448{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006868Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:44.448{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006867Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:44.448{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006866Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:44.386{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-646C-5FCE-0000-001083660B00}5688C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006865Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:44.370{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-646C-5FCE-0000-001083660B00}5688C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006864Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:44.370{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-646C-5FCE-0000-001083660B00}5688C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006863Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:44.370{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006862Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:44.370{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006861Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:44.261{B364217D-61FE-5FCE-0000-00102EBA0000}11362236C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+74a3|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006860Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:44.230{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006859Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:44.230{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000006917Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localT1042SetValue2020-12-07 17:20:46.605{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXEHKU\S-1-5-21-2034510999-1345200767-2897500970-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\exefileBinary Data 10341000x80000000000000006916Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:46.558{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006915Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:46.558{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006914Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:46.558{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006913Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:46.558{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006912Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:46.542{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006911Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:46.542{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006910Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:46.542{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006909Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:46.542{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006908Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:46.542{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006907Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:46.542{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006906Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:46.542{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006905Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:46.542{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006904Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:46.526{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006903Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:46.511{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006902Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:46.511{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006901Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:46.511{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006900Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:46.495{B364217D-6462-5FCE-0000-0010EAFF0900}56285668C:\Windows\System32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\appreadiness.dll+4dab3|c:\windows\system32\appreadiness.dll+c133|c:\windows\system32\appreadiness.dll+b234|c:\windows\system32\appreadiness.dll+c029|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000006899Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:46.495{B364217D-6462-5FCE-0000-0010EAFF0900}56285668C:\Windows\System32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\appreadiness.dll+4dab3|c:\windows\system32\appreadiness.dll+c133|c:\windows\system32\appreadiness.dll+b167|c:\windows\system32\appreadiness.dll+bfb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000006898Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:46.495{B364217D-6462-5FCE-0000-0010EAFF0900}56285656C:\Windows\System32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\appreadiness.dll+4dab3|c:\windows\system32\appreadiness.dll+c133|c:\windows\system32\appreadiness.dll+b234|c:\windows\system32\appreadiness.dll+b81e|c:\windows\system32\appreadiness.dll+b725|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c 10341000x80000000000000006897Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:46.495{B364217D-6462-5FCE-0000-0010EAFF0900}56285656C:\Windows\System32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\appreadiness.dll+4dab3|c:\windows\system32\appreadiness.dll+c133|c:\windows\system32\appreadiness.dll+b167|c:\windows\system32\appreadiness.dll+b780|c:\windows\system32\appreadiness.dll+b725|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c 10341000x80000000000000006896Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:46.480{B364217D-61FE-5FCE-0000-00102EBA0000}11362236C:\Windows\system32\svchost.exe{B364217D-646E-5FCE-0000-001002960B00}5876C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006895Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:46.480{B364217D-61FE-5FCE-0000-00102EBA0000}11361624C:\Windows\system32\svchost.exe{B364217D-646E-5FCE-0000-001002960B00}5876C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006894Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:46.464{B364217D-645F-5FCE-0000-0010EA600800}42163324C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}5876C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006893Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:46.464{B364217D-6461-5FCE-0000-001072CC0900}55125516C:\Windows\Explorer.EXE{00000000-0000-0000-0000-000000000000}5876C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+13755f|C:\Windows\System32\windows.storage.dll+1371d5|C:\Windows\System32\windows.storage.dll+136cc6|C:\Windows\System32\windows.storage.dll+138138|C:\Windows\System32\windows.storage.dll+136aee|C:\Windows\System32\windows.storage.dll+10a3b5|C:\Windows\System32\windows.storage.dll+10a734|C:\Windows\System32\windows.storage.dll+109d70|C:\Windows\System32\windows.storage.dll+1241fa|C:\Windows\System32\windows.storage.dll+123f5a|C:\Windows\System32\SHELL32.dll+77991|C:\Windows\System32\SHELL32.dll+767f6|C:\Windows\System32\SHELL32.dll+110821|C:\Windows\System32\SHELL32.dll+7888e|C:\Windows\System32\SHELL32.dll+552284|C:\Windows\System32\SHELL32.dll+551ce0|C:\Windows\System32\SHELL32.dll+551e54|C:\Windows\System32\SHELL32.dll+234591|C:\Windows\System32\SHELL32.dll+110c45|C:\Windows\System32\SHELL32.dll+1234a1 154100x80000000000000006892Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:46.468{B364217D-646E-5FCE-0000-001002960B00}5876C:\Windows\System32\rundll32.exe10.0.14393.0 (rs1_release.160715-1616)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXE"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iesetup.dll",IEHardenUserC:\Windows\system32\ATTACKRANGE\Administrator{B364217D-6460-5FCE-0000-0020BD420900}0x942bd2HighMD5=C7645D43451C6D94D87F4D07BDE59C89,SHA256=495BBA47FC43EE23054FCD419F2F00457162D1C04296900C6AEA551102A810F3,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 13241300x80000000000000006891Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:46.448{B364217D-646E-5FCE-0000-0010C98A0B00}5880C:\Windows\System32\rundll32.exeHKU\S-1-5-21-2034510999-1345200767-2897500970-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1809DWORD (0x00000000) 13241300x80000000000000006890Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:46.448{B364217D-646E-5FCE-0000-0010C98A0B00}5880C:\Windows\System32\rundll32.exeHKU\S-1-5-21-2034510999-1345200767-2897500970-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1206DWORD (0x00000003) 13241300x80000000000000006889Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:46.370{B364217D-646E-5FCE-0000-0010C98A0B00}5880C:\Windows\System32\rundll32.exeHKU\S-1-5-21-2034510999-1345200767-2897500970-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500DWORD (0x00000000) 10341000x80000000000000006888Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:46.058{B364217D-61FE-5FCE-0000-00102EBA0000}11362236C:\Windows\system32\svchost.exe{B364217D-646E-5FCE-0000-0010C98A0B00}5880C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006887Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:46.058{B364217D-61FE-5FCE-0000-00102EBA0000}11361624C:\Windows\system32\svchost.exe{B364217D-646E-5FCE-0000-0010C98A0B00}5880C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006886Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:46.042{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006885Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:46.042{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006884Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:46.042{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006883Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:46.042{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006882Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:46.042{B364217D-645F-5FCE-0000-0010EA600800}42163292C:\Windows\system32\csrss.exe{B364217D-646E-5FCE-0000-0010C98A0B00}5880C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006881Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:46.042{B364217D-6461-5FCE-0000-001072CC0900}55125516C:\Windows\Explorer.EXE{B364217D-646E-5FCE-0000-0010C98A0B00}5880C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+13755f|C:\Windows\System32\windows.storage.dll+1371d5|C:\Windows\System32\windows.storage.dll+136cc6|C:\Windows\System32\windows.storage.dll+138138|C:\Windows\System32\windows.storage.dll+136aee|C:\Windows\System32\windows.storage.dll+10a3b5|C:\Windows\System32\windows.storage.dll+10a734|C:\Windows\System32\windows.storage.dll+109d70|C:\Windows\System32\windows.storage.dll+1241fa|C:\Windows\System32\windows.storage.dll+123f5a|C:\Windows\System32\SHELL32.dll+77991|C:\Windows\System32\SHELL32.dll+767f6|C:\Windows\System32\SHELL32.dll+110821|C:\Windows\System32\SHELL32.dll+7888e|C:\Windows\System32\SHELL32.dll+552284|C:\Windows\System32\SHELL32.dll+551ce0|C:\Windows\System32\SHELL32.dll+551e54|C:\Windows\System32\SHELL32.dll+234591|C:\Windows\System32\SHELL32.dll+110c45|C:\Windows\System32\SHELL32.dll+1234a1 154100x80000000000000006880Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:46.050{B364217D-646E-5FCE-0000-0010C98A0B00}5880C:\Windows\System32\rundll32.exe10.0.14393.0 (rs1_release.160715-1616)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXE"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iesetup.dll",IEHardenAdminC:\Windows\system32\ATTACKRANGE\Administrator{B364217D-6460-5FCE-0000-0020BD420900}0x942bd2HighMD5=C7645D43451C6D94D87F4D07BDE59C89,SHA256=495BBA47FC43EE23054FCD419F2F00457162D1C04296900C6AEA551102A810F3,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x80000000000000006948Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:47.698{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006947Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:47.698{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006946Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:47.698{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006945Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:47.698{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006944Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:47.683{B364217D-6461-5FCE-0000-0010D0970900}31525316C:\Windows\system32\taskhostw.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006943Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:47.683{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006942Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:47.683{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006941Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:47.651{B364217D-6461-5FCE-0000-001072CC0900}55126040C:\Windows\Explorer.EXE{B364217D-646F-5FCE-0000-0010AAAB0C00}6044C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\SHCORE.dll+316d6|C:\Windows\System32\SHCORE.dll+21cbf|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x80000000000000006940Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:47.651{B364217D-6461-5FCE-0000-001072CC0900}55126040C:\Windows\Explorer.EXE{B364217D-646F-5FCE-0000-0010AAAB0C00}6044C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\SHCORE.dll+316d6|C:\Windows\System32\SHCORE.dll+21cbf|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x80000000000000006939Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:47.620{B364217D-61FE-5FCE-0000-00102EBA0000}11362224C:\Windows\system32\svchost.exe{B364217D-646F-5FCE-0000-0010AAAB0C00}6044C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006938Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:47.620{B364217D-61FE-5FCE-0000-00102EBA0000}11361624C:\Windows\system32\svchost.exe{B364217D-646F-5FCE-0000-0010AAAB0C00}6044C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006937Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:47.620{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-646F-5FCE-0000-0010AAAB0C00}6044C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006936Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:47.620{B364217D-645F-5FCE-0000-0010EA600800}42163292C:\Windows\system32\csrss.exe{B364217D-646F-5FCE-0000-0010AAAB0C00}6044C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006935Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:47.620{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-646F-5FCE-0000-0010AAAB0C00}6044C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006934Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:47.620{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-646F-5FCE-0000-0010AAAB0C00}6044C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006933Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:47.448{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006932Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:47.448{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006931Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:47.448{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006930Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:47.448{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006929Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:47.448{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006928Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:47.433{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006927Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:47.417{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006926Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:47.401{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006925Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:47.386{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006924Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:47.355{B364217D-6461-5FCE-0000-0010058A0900}18202216C:\Windows\System32\RuntimeBroker.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\TokenBroker.dll+1acfa|C:\Windows\System32\TokenBroker.dll+1d475|C:\Windows\System32\TokenBroker.dll+1d7f9|C:\Windows\System32\TokenBroker.dll+1e8f3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+5086c|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x80000000000000006923Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:47.355{B364217D-6461-5FCE-0000-0010058A0900}18202216C:\Windows\System32\RuntimeBroker.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\TokenBroker.dll+21886|C:\Windows\System32\TokenBroker.dll+1ac23|C:\Windows\System32\TokenBroker.dll+1d475|C:\Windows\System32\TokenBroker.dll+1d7f9|C:\Windows\System32\TokenBroker.dll+1e8f3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+5086c|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000006922Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:47.151{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006921Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:47.151{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006920Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:47.151{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006919Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:47.026{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006918Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:47.026{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006950Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:47.995{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006949Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:47.995{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006954Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:49.245{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6471-5FCE-0000-001023C40C00}5208C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006953Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:49.229{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6471-5FCE-0000-001023C40C00}5208C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006952Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:49.229{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6471-5FCE-0000-001023C40C00}5208C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006951Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:20:49.042{B364217D-6469-5FCE-0000-001048440B00}1256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\4e8-0\System.Core.dll2020-12-07 17:20:49.042 10341000x80000000000000006961Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:50.167{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6472-5FCE-0000-00104DCC0C00}2280C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006960Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:50.167{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6472-5FCE-0000-00104DCC0C00}2280C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006959Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:50.167{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6472-5FCE-0000-00104DCC0C00}2280C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006958Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:50.104{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6472-5FCE-0000-001015C90C00}3728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006957Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:50.104{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6472-5FCE-0000-001015C90C00}3728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006956Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:50.104{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6472-5FCE-0000-001015C90C00}3728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006955Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:20:50.026{B364217D-6471-5FCE-0000-001023C40C00}5208C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1458-0\System.Configuration.dll2020-12-07 17:20:50.026 10341000x80000000000000007034Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.948{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007033Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.948{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007032Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.948{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007031Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.933{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007030Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.901{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007029Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.901{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007028Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.901{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007027Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.901{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007026Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.901{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f42ac|C:\Windows\System32\TwinUI.dll+f440a|C:\Windows\System32\TwinUI.dll+f4995|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9d35|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007025Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.901{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f42ac|C:\Windows\System32\TwinUI.dll+f440a|C:\Windows\System32\TwinUI.dll+f4995|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9d35|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007024Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.901{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007023Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.901{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007022Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.886{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007021Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.886{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007020Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.886{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007019Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.886{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007018Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.886{B364217D-620D-5FCE-0000-001026C10200}31643536C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bc62|c:\windows\system32\tileobjserver.dll+26f22|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000007017Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.886{B364217D-620D-5FCE-0000-001026C10200}31643536C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\tileobjserver.dll+bc0f|c:\windows\system32\tileobjserver.dll+26f22|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x80000000000000007016Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.886{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007015Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.886{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007014Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.870{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007013Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.870{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007012Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.870{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007011Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.870{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007010Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.870{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000007009Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.854{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007008Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.854{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007007Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.854{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007006Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.854{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007005Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.854{B364217D-6461-5FCE-0000-0010F2920900}10485364C:\Windows\system32\sihost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+6375|C:\Windows\System32\twinui.appcore.dll+470d|C:\Windows\System32\twinui.appcore.dll+3e1e|C:\Windows\system32\activationmanager.dll+79e9|C:\Windows\system32\activationmanager.dll+ac47|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000007004Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.854{B364217D-6461-5FCE-0000-0010F2920900}10485364C:\Windows\system32\sihost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+590b|C:\Windows\System32\twinui.appcore.dll+470d|C:\Windows\System32\twinui.appcore.dll+3e1e|C:\Windows\system32\activationmanager.dll+79e9|C:\Windows\system32\activationmanager.dll+ac47|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000007003Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.854{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007002Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.854{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007001Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.854{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+625f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5dfa|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5ea2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5ff5|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e 10341000x80000000000000007000Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.839{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ac73|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c499|C:\Windows\System32\TwinUI.dll+f42ac|C:\Windows\System32\TwinUI.dll+f440a|C:\Windows\System32\TwinUI.dll+f4cc3|C:\Windows\System32\TwinUI.dll+f4d62|C:\Windows\System32\TwinUI.dll+154f93|C:\Windows\System32\TwinUI.dll+155ab3|C:\Windows\System32\TwinUI.dll+1565f7|C:\Windows\System32\TwinUI.dll+14880b|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006999Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.839{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f42ac|C:\Windows\System32\TwinUI.dll+f440a|C:\Windows\System32\TwinUI.dll+f4cc3|C:\Windows\System32\TwinUI.dll+f4d62|C:\Windows\System32\TwinUI.dll+154f93|C:\Windows\System32\TwinUI.dll+155ab3|C:\Windows\System32\TwinUI.dll+1565f7|C:\Windows\System32\TwinUI.dll+14880b|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006998Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.839{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f42ac|C:\Windows\System32\TwinUI.dll+f440a|C:\Windows\System32\TwinUI.dll+f4cc3|C:\Windows\System32\TwinUI.dll+f4d62|C:\Windows\System32\TwinUI.dll+154f93|C:\Windows\System32\TwinUI.dll+155ab3|C:\Windows\System32\TwinUI.dll+1565f7|C:\Windows\System32\TwinUI.dll+14880b|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006997Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.839{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+141c7c|C:\Windows\System32\TwinUI.dll+e7804|C:\Windows\System32\TwinUI.dll+e28fb|C:\Windows\System32\TwinUI.dll+1487f6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006996Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.839{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006995Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.839{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006994Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.839{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006993Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.839{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006992Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.839{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+f4bf7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x80000000000000006991Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.839{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+f4bf7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x80000000000000006990Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.823{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+625f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5dfa|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5ea2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5ff5|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e 10341000x80000000000000006989Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.823{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ac73|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c499|C:\Windows\System32\TwinUI.dll+f42ac|C:\Windows\System32\TwinUI.dll+f440a|C:\Windows\System32\TwinUI.dll+f4d7e|C:\Windows\System32\TwinUI.dll+154f93|C:\Windows\System32\TwinUI.dll+155ab3|C:\Windows\System32\TwinUI.dll+1565f7|C:\Windows\System32\TwinUI.dll+14880b|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006988Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.823{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f42ac|C:\Windows\System32\TwinUI.dll+f440a|C:\Windows\System32\TwinUI.dll+f4d7e|C:\Windows\System32\TwinUI.dll+154f93|C:\Windows\System32\TwinUI.dll+155ab3|C:\Windows\System32\TwinUI.dll+1565f7|C:\Windows\System32\TwinUI.dll+14880b|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006987Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.823{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f42ac|C:\Windows\System32\TwinUI.dll+f440a|C:\Windows\System32\TwinUI.dll+f4d7e|C:\Windows\System32\TwinUI.dll+154f93|C:\Windows\System32\TwinUI.dll+155ab3|C:\Windows\System32\TwinUI.dll+1565f7|C:\Windows\System32\TwinUI.dll+14880b|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006986Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.823{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+141c7c|C:\Windows\System32\TwinUI.dll+e7804|C:\Windows\System32\TwinUI.dll+e28fb|C:\Windows\System32\TwinUI.dll+1487f6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006985Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.823{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006984Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.823{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006983Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.808{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006982Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.808{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006981Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.808{B364217D-6461-5FCE-0000-0010D0970900}31525316C:\Windows\system32\taskhostw.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006980Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.714{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-0010FAE80C00}4188C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006979Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.698{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6473-5FCE-0000-0010FAE80C00}4188C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006978Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.698{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6473-5FCE-0000-0010FAE80C00}4188C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006977Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.589{B364217D-61FE-5FCE-0000-00102EBA0000}11362036C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006976Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.589{B364217D-61FE-5FCE-0000-00102EBA0000}11361624C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006975Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.589{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006974Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.589{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|c:\windows\system32\psmsrv.dll+e342|c:\windows\system32\psmsrv.dll+eb86|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006973Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.573{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+f967|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa6b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1276f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16952|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000006972Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.573{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+3844|C:\Windows\SYSTEM32\psmserviceexthost.dll+146dc|C:\Windows\SYSTEM32\psmserviceexthost.dll+f903|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa6b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1276f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16952|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006971Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.573{B364217D-6461-5FCE-0000-0010F2920900}10485144C:\Windows\system32\sihost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+18d08|C:\Windows\System32\modernexecserver.dll+18fa1|C:\Windows\System32\modernexecserver.dll+2c49a|C:\Windows\System32\modernexecserver.dll+31f08|C:\Windows\SYSTEM32\twinapi.appcore.dll+3d8f7|C:\Windows\SYSTEM32\twinapi.appcore.dll+3d700|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006970Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.573{B364217D-645F-5FCE-0000-0010EA600800}42163868C:\Windows\system32\csrss.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006969Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.573{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006968Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.573{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+4401|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006967Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.433{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001093DC0C00}5952C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006966Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.433{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6473-5FCE-0000-001093DC0C00}5952C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006965Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.433{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6473-5FCE-0000-001093DC0C00}5952C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006964Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.417{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006963Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:51.417{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006962Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:20:51.354{B364217D-6472-5FCE-0000-00104DCC0C00}2280C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\8e8-0\System.Drawing.dll2020-12-07 17:20:51.354 10341000x80000000000000007273Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.979{B364217D-6461-5FCE-0000-0010D0970900}31525316C:\Windows\system32\taskhostw.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007272Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.979{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x80000000000000007271Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.979{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x80000000000000007270Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.979{B364217D-6461-5FCE-0000-0010058A0900}18204308C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+8635|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+853f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17343|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007269Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.979{B364217D-61FE-5FCE-0000-001037C40000}12042004C:\Windows\system32\svchost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007268Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.979{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x80000000000000007267Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.979{B364217D-61FE-5FCE-0000-001037C40000}12042004C:\Windows\system32\svchost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007266Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.979{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x80000000000000007265Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.979{B364217D-6461-5FCE-0000-0010058A0900}18201188C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+8635|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+853f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17343|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007264Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x80000000000000007263Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x80000000000000007262Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.964{B364217D-6461-5FCE-0000-0010058A0900}18202988C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+8635|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+853f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17343|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007261Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x80000000000000007260Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x80000000000000007259Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.964{B364217D-6461-5FCE-0000-0010058A0900}1820652C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+8635|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+853f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17343|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007258Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x80000000000000007257Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x80000000000000007256Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.964{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+8635|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+853f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17343|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007255Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.964{B364217D-6461-5FCE-0000-0010058A0900}18202216C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x80000000000000007254Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.964{B364217D-6461-5FCE-0000-0010058A0900}18202216C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x80000000000000007253Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x80000000000000007252Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x80000000000000007251Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.964{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+8635|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+853f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17343|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007250Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x80000000000000007249Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.964{B364217D-6461-5FCE-0000-0010058A0900}18204112C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x80000000000000007248Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x80000000000000007247Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.964{B364217D-6461-5FCE-0000-0010058A0900}18204112C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x80000000000000007246Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.964{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+8635|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+853f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17343|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007245Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.964{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+8635|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+853f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17343|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007244Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.964{B364217D-6461-5FCE-0000-0010058A0900}18202216C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+8635|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+853f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17343|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007243Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.948{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007242Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.948{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007241Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.917{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6446|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007240Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.917{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9c27|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9b25|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+63fd|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e 10341000x80000000000000007239Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.917{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9a54|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9af1|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+63fd|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e 10341000x80000000000000007238Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.917{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9ac5|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+63fd|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007237Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.917{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9c27|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9b25|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+4aab|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+703f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x80000000000000007236Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.917{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9a54|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9af1|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+4aab|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+703f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x80000000000000007235Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.917{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9ac5|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+4aab|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+703f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e 10341000x80000000000000007234Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.917{B364217D-61FE-5FCE-0000-001037C40000}12042004C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007233Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.917{B364217D-61FE-5FCE-0000-001037C40000}12042004C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007232Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.901{B364217D-61FE-5FCE-0000-001037C40000}12042004C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007231Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.901{B364217D-61FE-5FCE-0000-001037C40000}12042004C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007230Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.901{B364217D-61FE-5FCE-0000-001037C40000}12042004C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007229Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.901{B364217D-6461-5FCE-0000-001072CC0900}55124764C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\SHCORE.dll+316d6|C:\Windows\System32\SHCORE.dll+21cbf|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x80000000000000007228Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.901{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+18a6c|C:\Windows\SYSTEM32\psmserviceexthost.dll+e44e|C:\Windows\SYSTEM32\psmserviceexthost.dll+e4e7|C:\Windows\SYSTEM32\psmserviceexthost.dll+e1f2|C:\Windows\SYSTEM32\psmserviceexthost.dll+18e38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007227Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.901{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+625f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5dfa|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5ea2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5ff5|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e 10341000x80000000000000007226Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.901{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007225Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.901{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ac73|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c499|C:\Windows\System32\TwinUI.dll+f42ac|C:\Windows\System32\TwinUI.dll+f440a|C:\Windows\System32\TwinUI.dll+f4d7e|C:\Windows\System32\TwinUI.dll+154f93|C:\Windows\System32\TwinUI.dll+155ab3|C:\Windows\System32\TwinUI.dll+1565f7|C:\Windows\System32\TwinUI.dll+14880b|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007224Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.901{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f42ac|C:\Windows\System32\TwinUI.dll+f440a|C:\Windows\System32\TwinUI.dll+f4d7e|C:\Windows\System32\TwinUI.dll+154f93|C:\Windows\System32\TwinUI.dll+155ab3|C:\Windows\System32\TwinUI.dll+1565f7|C:\Windows\System32\TwinUI.dll+14880b|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007223Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.901{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f42ac|C:\Windows\System32\TwinUI.dll+f440a|C:\Windows\System32\TwinUI.dll+f4d7e|C:\Windows\System32\TwinUI.dll+154f93|C:\Windows\System32\TwinUI.dll+155ab3|C:\Windows\System32\TwinUI.dll+1565f7|C:\Windows\System32\TwinUI.dll+14880b|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007222Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.901{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+141c7c|C:\Windows\System32\TwinUI.dll+e7804|C:\Windows\System32\TwinUI.dll+e28fb|C:\Windows\System32\TwinUI.dll+1487f6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007221Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.901{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007220Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.901{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007219Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.870{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_22[1].txt2020-12-07 17:20:52.870 11241100x80000000000000007218Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.870{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_22[1].txt2020-12-07 17:20:52.870 11241100x80000000000000007217Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.870{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_21[1].txt2020-12-07 17:20:52.870 11241100x80000000000000007216Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.870{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_21[1].txt2020-12-07 17:20:52.870 11241100x80000000000000007215Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.870{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt2020-12-07 17:20:52.870 11241100x80000000000000007214Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.870{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt2020-12-07 17:20:52.870 11241100x80000000000000007213Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.870{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt2020-12-07 17:20:52.870 11241100x80000000000000007212Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.870{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt2020-12-07 17:20:52.870 11241100x80000000000000007211Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.854{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt2020-12-07 17:20:52.854 11241100x80000000000000007210Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.854{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt2020-12-07 17:20:52.854 11241100x80000000000000007209Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.854{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt2020-12-07 17:20:52.854 11241100x80000000000000007208Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.854{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt2020-12-07 17:20:52.854 11241100x80000000000000007207Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.854{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt2020-12-07 17:20:52.854 11241100x80000000000000007206Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.854{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt2020-12-07 17:20:52.854 11241100x80000000000000007205Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.854{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txt2020-12-07 17:20:52.854 11241100x80000000000000007204Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.854{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txt2020-12-07 17:20:52.854 11241100x80000000000000007203Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.854{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt2020-12-07 17:20:52.854 11241100x80000000000000007202Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.854{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt2020-12-07 17:20:52.854 11241100x80000000000000007201Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.854{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txt2020-12-07 17:20:52.854 11241100x80000000000000007200Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.854{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txt2020-12-07 17:20:52.854 11241100x80000000000000007199Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.854{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt2020-12-07 17:20:52.839 11241100x80000000000000007198Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.839{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt2020-12-07 17:20:52.839 11241100x80000000000000007197Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.839{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt2020-12-07 17:20:52.839 11241100x80000000000000007196Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.839{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt2020-12-07 17:20:52.839 11241100x80000000000000007195Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.839{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt2020-12-07 17:20:52.839 11241100x80000000000000007194Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.839{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt2020-12-07 17:20:52.839 11241100x80000000000000007193Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.839{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt2020-12-07 17:20:52.839 11241100x80000000000000007192Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.839{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt2020-12-07 17:20:52.839 11241100x80000000000000007191Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.839{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txt2020-12-07 17:20:52.839 11241100x80000000000000007190Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.839{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txt2020-12-07 17:20:52.839 11241100x80000000000000007189Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.839{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt2020-12-07 17:20:52.839 11241100x80000000000000007188Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.839{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt2020-12-07 17:20:52.839 11241100x80000000000000007187Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.839{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt2020-12-07 17:20:52.839 11241100x80000000000000007186Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.839{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt2020-12-07 17:20:52.839 11241100x80000000000000007185Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.839{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txt2020-12-07 17:20:52.823 11241100x80000000000000007184Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.823{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txt2020-12-07 17:20:52.823 11241100x80000000000000007183Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.823{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txt2020-12-07 17:20:52.823 11241100x80000000000000007182Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.823{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txt2020-12-07 17:20:52.823 11241100x80000000000000007181Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.823{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt2020-12-07 17:20:52.823 11241100x80000000000000007180Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.823{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt2020-12-07 17:20:52.823 11241100x80000000000000007179Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.823{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt2020-12-07 17:20:52.823 11241100x80000000000000007178Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.823{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt2020-12-07 17:20:52.823 10341000x80000000000000007177Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.776{B364217D-6461-5FCE-0000-0010058A0900}18202216C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007176Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.776{B364217D-6461-5FCE-0000-0010058A0900}18202216C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007175Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.745{B364217D-6461-5FCE-0000-0010058A0900}18202216C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+14bb0|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x80000000000000007174Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.651{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007173Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.651{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\TokenBroker.dll+1acfa|C:\Windows\System32\TokenBroker.dll+1d475|C:\Windows\System32\TokenBroker.dll+1d7f9|C:\Windows\System32\TokenBroker.dll+1e8f3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+5086c|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x80000000000000007172Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.651{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\TokenBroker.dll+21886|C:\Windows\System32\TokenBroker.dll+1ac23|C:\Windows\System32\TokenBroker.dll+1d475|C:\Windows\System32\TokenBroker.dll+1d7f9|C:\Windows\System32\TokenBroker.dll+1e8f3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+5086c|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007171Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.651{B364217D-61FC-5FCE-0000-001019540000}856100C:\Windows\system32\lsass.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007170Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.651{B364217D-61FC-5FCE-0000-001019540000}856100C:\Windows\system32\lsass.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007169Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.620{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007168Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.620{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007167Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.620{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-646F-5FCE-0000-0010AAAB0C00}6044C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007166Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.620{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6463-5FCE-0000-001014400A00}5984C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007165Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.620{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007164Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.620{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6461-5FCE-0000-0010AF940900}4520C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007163Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.620{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6461-5FCE-0000-0010B77F0900}4672C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007162Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.620{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6226-5FCE-0000-0010614C0500}3508C:\Windows\system32\conhost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007161Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.620{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6226-5FCE-0000-0010844B0500}3552C:\Windows\system32\WinrsHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007160Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.620{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6226-5FCE-0000-0010A1460500}4212C:\Windows\system32\conhost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007159Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.620{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6226-5FCE-0000-001047450500}4292C:\Windows\system32\WinrsHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007158Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.620{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007157Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.620{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007156Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.620{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-646F-5FCE-0000-0010AAAB0C00}6044C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007155Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.620{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6463-5FCE-0000-001014400A00}5984C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007154Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.620{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007153Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.620{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6461-5FCE-0000-0010AF940900}4520C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007152Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.620{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6461-5FCE-0000-0010B77F0900}4672C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007151Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.620{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6226-5FCE-0000-0010614C0500}3508C:\Windows\system32\conhost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007150Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.620{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6226-5FCE-0000-0010844B0500}3552C:\Windows\system32\WinrsHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007149Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.620{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6226-5FCE-0000-0010A1460500}4212C:\Windows\system32\conhost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007148Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.620{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6226-5FCE-0000-001047450500}4292C:\Windows\system32\WinrsHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007147Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.620{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007146Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.620{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007145Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.620{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-646F-5FCE-0000-0010AAAB0C00}6044C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007144Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.620{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6463-5FCE-0000-001014400A00}5984C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007143Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.620{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007142Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.620{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6461-5FCE-0000-0010AF940900}4520C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007141Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.620{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6461-5FCE-0000-0010B77F0900}4672C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007140Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.620{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6226-5FCE-0000-0010614C0500}3508C:\Windows\system32\conhost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007139Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.620{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6226-5FCE-0000-0010844B0500}3552C:\Windows\system32\WinrsHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007138Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.620{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6226-5FCE-0000-0010A1460500}4212C:\Windows\system32\conhost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007137Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.620{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6226-5FCE-0000-001047450500}4292C:\Windows\system32\WinrsHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007136Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.620{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007135Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.620{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007134Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.620{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-646F-5FCE-0000-0010AAAB0C00}6044C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007133Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.620{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6463-5FCE-0000-001014400A00}5984C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007132Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.620{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007131Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.620{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6461-5FCE-0000-0010AF940900}4520C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007130Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.620{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6461-5FCE-0000-0010B77F0900}4672C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007129Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.620{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6226-5FCE-0000-0010614C0500}3508C:\Windows\system32\conhost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007128Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.620{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6226-5FCE-0000-0010844B0500}3552C:\Windows\system32\WinrsHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007127Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.620{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6226-5FCE-0000-0010A1460500}4212C:\Windows\system32\conhost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007126Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.620{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6226-5FCE-0000-001047450500}4292C:\Windows\system32\WinrsHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007125Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.604{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007124Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.604{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007123Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.604{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-646F-5FCE-0000-0010AAAB0C00}6044C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007122Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.604{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6463-5FCE-0000-001014400A00}5984C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007121Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.604{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007120Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.604{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6461-5FCE-0000-0010AF940900}4520C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007119Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.604{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6461-5FCE-0000-0010B77F0900}4672C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007118Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.604{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6226-5FCE-0000-0010614C0500}3508C:\Windows\system32\conhost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007117Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.604{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6226-5FCE-0000-0010844B0500}3552C:\Windows\system32\WinrsHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007116Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.604{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6226-5FCE-0000-0010A1460500}4212C:\Windows\system32\conhost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007115Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.604{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6226-5FCE-0000-001047450500}4292C:\Windows\system32\WinrsHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007114Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.604{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007113Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.604{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007112Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.604{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-646F-5FCE-0000-0010AAAB0C00}6044C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007111Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.604{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6463-5FCE-0000-001014400A00}5984C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007110Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.604{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007109Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.604{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6461-5FCE-0000-0010AF940900}4520C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007108Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.604{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6461-5FCE-0000-0010B77F0900}4672C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007107Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.604{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6226-5FCE-0000-0010614C0500}3508C:\Windows\system32\conhost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007106Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.604{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6226-5FCE-0000-0010844B0500}3552C:\Windows\system32\WinrsHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007105Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.604{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6226-5FCE-0000-0010A1460500}4212C:\Windows\system32\conhost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007104Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.604{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6226-5FCE-0000-001047450500}4292C:\Windows\system32\WinrsHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007103Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.604{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007102Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.604{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007101Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.604{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-646F-5FCE-0000-0010AAAB0C00}6044C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007100Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.604{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6463-5FCE-0000-001014400A00}5984C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007099Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.604{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007098Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.604{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6461-5FCE-0000-0010AF940900}4520C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007097Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.604{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6461-5FCE-0000-0010B77F0900}4672C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007096Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.604{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6226-5FCE-0000-0010614C0500}3508C:\Windows\system32\conhost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007095Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.604{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6226-5FCE-0000-0010844B0500}3552C:\Windows\system32\WinrsHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007094Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.604{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6226-5FCE-0000-0010A1460500}4212C:\Windows\system32\conhost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007093Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.604{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6226-5FCE-0000-001047450500}4292C:\Windows\system32\WinrsHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007092Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.589{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007091Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.589{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007090Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.589{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-646F-5FCE-0000-0010AAAB0C00}6044C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007089Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.589{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6463-5FCE-0000-001014400A00}5984C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007088Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.589{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007087Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.589{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6461-5FCE-0000-0010AF940900}4520C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007086Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.589{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6461-5FCE-0000-0010B77F0900}4672C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007085Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.589{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6226-5FCE-0000-0010614C0500}3508C:\Windows\system32\conhost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007084Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.589{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6226-5FCE-0000-0010844B0500}3552C:\Windows\system32\WinrsHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007083Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.589{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6226-5FCE-0000-0010A1460500}4212C:\Windows\system32\conhost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007082Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.589{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6226-5FCE-0000-001047450500}4292C:\Windows\system32\WinrsHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007081Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.589{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+b6ec|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x80000000000000007080Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.573{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+c0e0|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x80000000000000007079Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.573{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+7d50|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x80000000000000007078Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.417{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+7d50|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x80000000000000007077Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.417{B364217D-6461-5FCE-0000-0010058A0900}18202888C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+7d50|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x80000000000000007076Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.354{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007075Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.354{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007074Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.354{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+f4bf7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x80000000000000007073Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.354{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+f4bf7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x80000000000000007072Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.354{B364217D-6461-5FCE-0000-0010D0970900}31525316C:\Windows\system32\taskhostw.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007071Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.276{B364217D-61FE-5FCE-0000-00102EBA0000}11362036C:\Windows\system32\svchost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007070Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.276{B364217D-61FE-5FCE-0000-00102EBA0000}11361624C:\Windows\system32\svchost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007069Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.198{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007068Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.198{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|c:\windows\system32\psmsrv.dll+e342|c:\windows\system32\psmsrv.dll+eb86|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007067Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.183{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8a65|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7fbc|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007066Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.183{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7f5b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007065Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.167{B364217D-645F-5FCE-0000-0010EA600800}42163868C:\Windows\system32\csrss.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007064Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.167{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+f967|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa6b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1276f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16952|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000007063Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.167{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+3844|C:\Windows\SYSTEM32\psmserviceexthost.dll+146dc|C:\Windows\SYSTEM32\psmserviceexthost.dll+f903|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa6b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1276f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16952|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000007062Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.167{B364217D-6461-5FCE-0000-0010F2920900}10485148C:\Windows\system32\sihost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+18d08|C:\Windows\System32\modernexecserver.dll+18fa1|C:\Windows\System32\modernexecserver.dll+2c49a|C:\Windows\System32\modernexecserver.dll+31f08|C:\Windows\SYSTEM32\twinapi.appcore.dll+3d8f7|C:\Windows\SYSTEM32\twinapi.appcore.dll+3d700|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007061Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.167{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007060Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.167{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+4401|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007059Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.151{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8de9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7f06|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007058Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.151{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6446|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007057Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.151{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9a54|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9af1|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+63fd|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e 10341000x80000000000000007056Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.151{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9ac5|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+63fd|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007055Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.151{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9a54|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9af1|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6747|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+703f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x80000000000000007054Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.151{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9ac5|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6747|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+703f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e 10341000x80000000000000007053Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.151{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6712|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+703f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007052Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.151{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9a54|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9af1|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6747|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+703f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x80000000000000007051Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.151{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9ac5|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6747|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+703f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e 10341000x80000000000000007050Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.151{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6712|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+703f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007049Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.151{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9a54|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9af1|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6747|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+703f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x80000000000000007048Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.151{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9ac5|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6747|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+703f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e 10341000x80000000000000007047Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.151{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6712|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+703f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007046Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.151{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9a54|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9af1|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3ae7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+703f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x80000000000000007045Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.151{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9ac5|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3ae7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+703f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e 10341000x80000000000000007044Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.151{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9a54|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9af1|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+4aab|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+703f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x80000000000000007043Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.151{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9ac5|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+4aab|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+703f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e 10341000x80000000000000007042Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.151{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+f4bf7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x80000000000000007041Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.151{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+f4bf7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x80000000000000007040Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.026{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007039Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.026{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007038Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.026{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007037Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.026{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007036Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.026{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007035Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.026{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008198Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008197Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008196Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008195Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008194Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008193Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008192Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008191Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008190Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008189Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008188Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008187Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008186Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008185Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008184Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008183Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008182Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008181Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008180Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008179Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008178Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008177Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008176Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008175Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008174Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008173Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008172Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008171Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008170Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008169Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008168Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008167Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008166Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008165Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008164Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008163Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008162Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008161Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008160Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008159Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008158Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008157Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008156Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008155Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008154Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008153Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008152Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008151Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008150Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008149Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008148Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008147Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008146Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008145Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008144Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008143Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008142Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008141Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008140Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008139Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008138Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008137Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008136Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008135Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008134Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008133Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008132Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008131Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008130Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008129Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008128Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008127Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008126Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008125Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008124Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008123Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008122Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008121Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008120Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008119Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008118Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008117Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008116Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008115Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008114Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008113Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008112Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008111Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008110Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008109Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008108Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008107Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008106Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008105Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008104Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008103Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008102Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008101Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008100Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008099Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008098Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008097Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008096Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008095Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008094Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008093Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008092Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008091Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008090Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008089Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008088Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008087Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008086Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008085Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008084Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008083Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008082Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008081Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008080Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008079Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008078Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008077Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008076Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008075Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008074Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008073Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008072Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008071Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008070Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008069Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008068Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008067Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.964{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008066Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1382d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9 10341000x80000000000000008065Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000008064Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000008063Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11620|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008062Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008061Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008060Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008059Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008058Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008057Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008056Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008055Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008054Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008053Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008052Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008051Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008050Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008049Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008048Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008047Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008046Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008045Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008044Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008043Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008042Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008041Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008040Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008039Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008038Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1382d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9 10341000x80000000000000008037Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000008036Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000008035Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11620|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008034Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008033Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008032Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008031Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008030Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008029Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008028Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008027Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008026Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008025Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008024Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008023Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008022Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008021Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008020Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008019Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008018Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008017Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008016Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008015Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008014Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008013Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008012Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008011Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008010Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008009Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008008Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008007Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008006Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008005Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008004Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008003Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008002Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1382d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9 10341000x80000000000000008001Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000008000Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007999Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11620|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007998Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007997Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007996Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007995Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007994Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1382d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9 10341000x80000000000000007993Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007992Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007991Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.948{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11620|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007990Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007989Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007988Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007987Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007986Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007985Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007984Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007983Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007982Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007981Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007980Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007979Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007978Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007977Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007976Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007975Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007974Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007973Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007972Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007971Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007970Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007969Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007968Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007967Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007966Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007965Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007964Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007963Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007962Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007961Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007960Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007959Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007958Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007957Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007956Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007955Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007954Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007953Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007952Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007951Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007950Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007949Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007948Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007947Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007946Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007945Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007944Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007943Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007942Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007941Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007940Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007939Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007938Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007937Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007936Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007935Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007934Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1382d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+180f1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10ec7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9 10341000x80000000000000007933Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+180f1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10ec7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007932Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+180f1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10ec7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007931Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+180a8|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10ec7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007930Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.932{B364217D-6461-5FCE-0000-0010058A0900}18206524C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16dde|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16f72|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16e8f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1736c|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x80000000000000007929Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.886{B364217D-6461-5FCE-0000-0010058A0900}18206524C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+5b70|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x80000000000000007928Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.886{B364217D-6461-5FCE-0000-0010058A0900}18206524C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007927Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.886{B364217D-6461-5FCE-0000-0010058A0900}18206524C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x80000000000000007926Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.886{B364217D-6461-5FCE-0000-0010058A0900}18206524C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+5b70|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x80000000000000007925Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.886{B364217D-6461-5FCE-0000-0010058A0900}18206524C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007924Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.886{B364217D-6461-5FCE-0000-0010058A0900}18206524C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x80000000000000007923Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.870{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ac73|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c499|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+1abb51|C:\Windows\System32\TwinUI.dll+f4ce1|C:\Windows\System32\TwinUI.dll+f4d62|C:\Windows\System32\TwinUI.dll+154f93|C:\Windows\System32\TwinUI.dll+155ab3|C:\Windows\System32\TwinUI.dll+1565f7|C:\Windows\System32\TwinUI.dll+14880b|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007922Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.870{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+1abb51|C:\Windows\System32\TwinUI.dll+f4ce1|C:\Windows\System32\TwinUI.dll+f4d62|C:\Windows\System32\TwinUI.dll+154f93|C:\Windows\System32\TwinUI.dll+155ab3|C:\Windows\System32\TwinUI.dll+1565f7|C:\Windows\System32\TwinUI.dll+14880b|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007921Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.870{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+1abb51|C:\Windows\System32\TwinUI.dll+f4ce1|C:\Windows\System32\TwinUI.dll+f4d62|C:\Windows\System32\TwinUI.dll+154f93|C:\Windows\System32\TwinUI.dll+155ab3|C:\Windows\System32\TwinUI.dll+1565f7|C:\Windows\System32\TwinUI.dll+14880b|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007920Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.870{B364217D-61FE-5FCE-0000-001037C40000}12041456C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x100000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000007919Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.870{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f42ac|C:\Windows\System32\TwinUI.dll+f440a|C:\Windows\System32\TwinUI.dll+f4cc3|C:\Windows\System32\TwinUI.dll+f4d62|C:\Windows\System32\TwinUI.dll+154f93|C:\Windows\System32\TwinUI.dll+155ab3|C:\Windows\System32\TwinUI.dll+1565f7|C:\Windows\System32\TwinUI.dll+14880b|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007918Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.870{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f42ac|C:\Windows\System32\TwinUI.dll+f440a|C:\Windows\System32\TwinUI.dll+f4cc3|C:\Windows\System32\TwinUI.dll+f4d62|C:\Windows\System32\TwinUI.dll+154f93|C:\Windows\System32\TwinUI.dll+155ab3|C:\Windows\System32\TwinUI.dll+1565f7|C:\Windows\System32\TwinUI.dll+14880b|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007917Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.870{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+141c7c|C:\Windows\System32\TwinUI.dll+e7804|C:\Windows\System32\TwinUI.dll+e28fb|C:\Windows\System32\TwinUI.dll+1487f6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007916Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.854{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007915Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.854{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007914Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.807{B364217D-6461-5FCE-0000-0010058A0900}18206524C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007913Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.807{B364217D-6461-5FCE-0000-0010058A0900}18206524C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007912Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.792{B364217D-6461-5FCE-0000-0010058A0900}18206524C:\Windows\System32\RuntimeBroker.exe{B364217D-646F-5FCE-0000-0010AAAB0C00}6044C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\shcore.dll+316d6|C:\Windows\System32\shcore.dll+21cbf|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x80000000000000007911Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.792{B364217D-6461-5FCE-0000-0010058A0900}18206524C:\Windows\System32\RuntimeBroker.exe{B364217D-646F-5FCE-0000-0010AAAB0C00}6044C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\shcore.dll+316d6|C:\Windows\System32\shcore.dll+21cbf|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x80000000000000007910Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.761{B364217D-6461-5FCE-0000-0010058A0900}18206432C:\Windows\System32\RuntimeBroker.exe{B364217D-646F-5FCE-0000-0010AAAB0C00}6044C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\shcore.dll+316d6|C:\Windows\System32\shcore.dll+21cbf|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x80000000000000007909Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.761{B364217D-6461-5FCE-0000-0010058A0900}18206432C:\Windows\System32\RuntimeBroker.exe{B364217D-646F-5FCE-0000-0010AAAB0C00}6044C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\shcore.dll+316d6|C:\Windows\System32\shcore.dll+21cbf|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x80000000000000007908Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18204420C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007907Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18204420C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007906Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18204420C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007905Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18204420C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007904Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18204420C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007903Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18204420C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007902Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18204420C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007901Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18204420C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007900Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18204420C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007899Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18204420C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007898Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18204420C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007897Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18204420C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007896Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18204420C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007895Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18204420C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007894Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18204420C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007893Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18205124C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007892Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18205124C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007891Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18204420C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007890Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18205124C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007889Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18205124C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007888Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18204420C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007887Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18204420C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007886Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18205124C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007885Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18205124C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007884Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18204420C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007883Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18205124C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007882Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18204420C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007881Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18205124C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007880Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18205580C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007879Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18205580C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007878Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18204420C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007877Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18204420C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007876Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18205124C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007875Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18205124C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007874Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18206208C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007873Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18206208C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007872Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18206268C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007871Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18206268C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007870Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18205580C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007869Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18205580C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007868Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18205124C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007867Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18205124C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007866Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18206268C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007865Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18204420C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007864Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18206268C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007863Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18204420C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007862Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18205124C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007861Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18204420C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007860Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18205124C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007859Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18204420C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007858Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18204420C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007857Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18205580C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007856Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18204420C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007855Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18205580C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007854Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18206268C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007853Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18206268C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007852Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18205916C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.onecore.dll+15d2f|C:\Windows\system32\windows.cortana.onecore.dll+15e27|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000007851Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18205580C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007850Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18205916C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.onecore.dll+16e7e|C:\Windows\system32\windows.cortana.onecore.dll+15cb7|C:\Windows\system32\windows.cortana.onecore.dll+15e27|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86 10341000x80000000000000007849Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18205580C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007848Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18205124C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007847Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18205580C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007846Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18205580C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007845Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18206208C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007844Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18206208C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007843Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18205124C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007842Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18205580C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007841Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18205580C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007840Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18206208C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007839Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18206208C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007838Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18205580C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007837Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.604{B364217D-6461-5FCE-0000-0010058A0900}18205580C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007836Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206456C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007835Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206456C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007834Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206432C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007833Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206432C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007832Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206208C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007831Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206268C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007830Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206208C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007829Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206268C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007828Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206208C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007827Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206208C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007826Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18205580C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007825Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206320C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007824Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18205124C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007823Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206208C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007822Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18205580C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007821Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206320C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007820Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18205124C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007819Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206208C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007818Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206428C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007817Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206428C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007816Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206332C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007815Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206332C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x80000000000000007814Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18205444C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007813Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18205444C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007812Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206432C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007811Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206432C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007810Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18205124C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007809Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18205124C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007808Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206424C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007807Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206424C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007806Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206420C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007805Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206420C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007804Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206416C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007803Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206416C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007802Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206240C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007801Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206240C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007800Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18205916C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.onecore.dll+15d2f|C:\Windows\system32\windows.cortana.onecore.dll+15e27|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000007799Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206332C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007798Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206332C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007797Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18205580C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007796Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18205124C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007795Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206368C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007794Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206368C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007793Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18205580C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007792Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18205124C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007791Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18205916C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.onecore.dll+16e7e|C:\Windows\system32\windows.cortana.onecore.dll+15cb7|C:\Windows\system32\windows.cortana.onecore.dll+15e27|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86 10341000x80000000000000007790Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206268C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007789Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206268C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007788Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206212C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007787Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206212C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007786Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206320C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007785Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206320C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007784Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206368C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007783Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206292C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007782Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206368C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007781Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206292C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007780Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206268C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007779Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206268C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007778Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206320C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007777Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206320C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007776Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206268C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007775Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206268C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007774Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18205444C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007773Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18205444C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007772Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18205436C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007771Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18205436C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007770Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206220C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007769Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206220C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007768Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206324C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007767Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206324C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007766Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206388C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007765Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206388C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007764Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206368C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007763Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206368C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007762Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206240C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007761Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206240C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007760Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206376C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007759Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206376C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007758Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206320C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007757Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206320C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007756Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206332C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007755Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18205124C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007754Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206332C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007753Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206220C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007752Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206220C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007751Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18205404C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007750Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18205404C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007749Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18205580C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007748Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18205124C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007747Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18205580C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007746Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206208C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007745Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206208C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007744Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18205124C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007743Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18205444C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007742Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18205444C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007741Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18205124C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007740Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206200C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007739Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206200C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007738Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206368C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007737Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206368C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007736Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206332C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007735Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206332C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007734Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18204420C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007733Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206348C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007732Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206348C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007731Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18204420C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007730Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18205124C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007729Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18205124C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007728Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18205436C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007727Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18205436C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007726Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206324C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007725Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206324C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007724Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206320C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007723Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206320C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007722Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18204420C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007721Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206312C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007720Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206312C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007719Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206228C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007718Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206228C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007717Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18205124C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007716Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18205436C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007715Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18205436C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007714Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18205124C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007713Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18205580C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007712Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206296C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007711Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206296C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007710Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.589{B364217D-6461-5FCE-0000-0010058A0900}18206208C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+fd3d6|C:\Windows\System32\Windows.Storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007709Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.573{B364217D-6461-5FCE-0000-0010058A0900}18206208C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007708Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.573{B364217D-6461-5FCE-0000-0010058A0900}18205580C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007707Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.573{B364217D-6461-5FCE-0000-0010058A0900}18206228C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007706Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.573{B364217D-6461-5FCE-0000-0010058A0900}18206228C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007705Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.573{B364217D-6461-5FCE-0000-0010058A0900}18205436C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007704Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.573{B364217D-6461-5FCE-0000-0010058A0900}18205436C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007703Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.573{B364217D-6461-5FCE-0000-0010058A0900}18206212C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007702Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.573{B364217D-6461-5FCE-0000-0010058A0900}18206212C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007701Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.573{B364217D-6461-5FCE-0000-0010058A0900}18206200C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007700Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.573{B364217D-6461-5FCE-0000-0010058A0900}18206200C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007699Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.573{B364217D-6461-5FCE-0000-0010058A0900}18204420C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+669f8|C:\Windows\System32\Windows.Storage.dll+7b6e4|C:\Windows\System32\Windows.Storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x80000000000000007698Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.573{B364217D-6461-5FCE-0000-0010058A0900}18205032C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007697Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.573{B364217D-6461-5FCE-0000-0010058A0900}18205032C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007696Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.573{B364217D-6461-5FCE-0000-0010058A0900}18205436C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007695Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.573{B364217D-6461-5FCE-0000-0010058A0900}18205444C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007694Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.573{B364217D-6461-5FCE-0000-0010058A0900}18205436C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x80000000000000007693Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.573{B364217D-6461-5FCE-0000-0010058A0900}18205444C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007692Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.573{B364217D-6461-5FCE-0000-0010058A0900}18205032C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007691Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.573{B364217D-6461-5FCE-0000-0010058A0900}18206200C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007690Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.573{B364217D-6461-5FCE-0000-0010058A0900}18205032C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007689Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.573{B364217D-6461-5FCE-0000-0010058A0900}18206200C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007688Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.573{B364217D-6461-5FCE-0000-0010058A0900}18206240C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007687Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.573{B364217D-6461-5FCE-0000-0010058A0900}18206240C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007686Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.573{B364217D-6461-5FCE-0000-0010058A0900}18206212C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007685Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.573{B364217D-6461-5FCE-0000-0010058A0900}18206212C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007684Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.573{B364217D-6461-5FCE-0000-0010058A0900}18205404C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007683Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.573{B364217D-6461-5FCE-0000-0010058A0900}18205404C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007682Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.573{B364217D-6461-5FCE-0000-0010058A0900}18206228C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007681Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.573{B364217D-6461-5FCE-0000-0010058A0900}18206220C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007680Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.573{B364217D-6461-5FCE-0000-0010058A0900}18206228C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007679Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.573{B364217D-6461-5FCE-0000-0010058A0900}18206212C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007678Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.573{B364217D-6461-5FCE-0000-0010058A0900}18206212C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007677Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.573{B364217D-6461-5FCE-0000-0010058A0900}18206220C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007676Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.573{B364217D-6461-5FCE-0000-0010058A0900}18206200C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007675Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.573{B364217D-6461-5FCE-0000-0010058A0900}18206200C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007674Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.573{B364217D-6461-5FCE-0000-0010058A0900}18205032C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007673Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.573{B364217D-6461-5FCE-0000-0010058A0900}18205032C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007672Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.573{B364217D-6461-5FCE-0000-0010058A0900}18205444C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007671Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.573{B364217D-6461-5FCE-0000-0010058A0900}18205444C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007670Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.573{B364217D-6461-5FCE-0000-0010058A0900}18205436C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007669Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.573{B364217D-6461-5FCE-0000-0010058A0900}18205404C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007668Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.573{B364217D-6461-5FCE-0000-0010058A0900}18205580C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007667Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.573{B364217D-6461-5FCE-0000-0010058A0900}18205436C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007666Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.573{B364217D-6461-5FCE-0000-0010058A0900}18205404C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007665Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.573{B364217D-6461-5FCE-0000-0010058A0900}18205580C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007664Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.558{B364217D-6461-5FCE-0000-0010058A0900}18205404C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007663Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.558{B364217D-6461-5FCE-0000-0010058A0900}18205404C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x80000000000000007662Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.526{B364217D-6461-5FCE-0000-0010058A0900}18206180C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+13c5d7|C:\Windows\System32\Windows.Storage.dll+13e363|C:\Windows\System32\Windows.Storage.dll+13c548|C:\Windows\System32\Windows.Storage.dll+13c40d|C:\Windows\System32\Windows.Storage.dll+73bac|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\Windows.Storage.dll+14735c 10341000x80000000000000007661Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.526{B364217D-6461-5FCE-0000-0010058A0900}18206180C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+60608|C:\Windows\System32\Windows.Storage.dll+13e344|C:\Windows\System32\Windows.Storage.dll+13c548|C:\Windows\System32\Windows.Storage.dll+13c40d|C:\Windows\System32\Windows.Storage.dll+73bac|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\Windows.Storage.dll+14735c 10341000x80000000000000007660Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.526{B364217D-6461-5FCE-0000-0010058A0900}18206180C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+13d57b|C:\Windows\System32\Windows.Storage.dll+13ccf5|C:\Windows\System32\Windows.Storage.dll+13cc5e|C:\Windows\System32\Windows.Storage.dll+13c3c6|C:\Windows\System32\Windows.Storage.dll+73bac|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\Windows.Storage.dll+14735c 10341000x80000000000000007659Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.526{B364217D-6461-5FCE-0000-0010058A0900}18205404C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+6411c|C:\Windows\System32\Windows.Storage.dll+13bb89|C:\Windows\System32\Windows.Storage.dll+13b9c4|C:\Windows\System32\Windows.Storage.dll+818c6|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x80000000000000007658Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.526{B364217D-6461-5FCE-0000-0010058A0900}18206180C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+13c0f0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\Windows.Storage.dll+14735c|C:\Windows\System32\Windows.Storage.dll+146cea|C:\Windows\System32\Windows.Storage.dll+1a6029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007657Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.526{B364217D-6461-5FCE-0000-0010058A0900}18206180C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+6430f|C:\Windows\System32\Windows.Storage.dll+62682|C:\Windows\System32\Windows.Storage.dll+62c78|C:\Windows\System32\Windows.Storage.dll+13a887|C:\Windows\System32\Windows.Storage.dll+13c0d5|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\Windows.Storage.dll+14735c 10341000x80000000000000007656Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.526{B364217D-6461-5FCE-0000-0010058A0900}18206180C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+63043|C:\Windows\System32\Windows.Storage.dll+13a985|C:\Windows\System32\Windows.Storage.dll+13a86d|C:\Windows\System32\Windows.Storage.dll+13c0d5|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\Windows.Storage.dll+14735c|C:\Windows\System32\Windows.Storage.dll+146cea 10341000x80000000000000007655Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.511{B364217D-6461-5FCE-0000-0010058A0900}18205404C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+6411c|C:\Windows\System32\Windows.Storage.dll+13bb89|C:\Windows\System32\Windows.Storage.dll+13b9c4|C:\Windows\System32\Windows.Storage.dll+818c6|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 11241100x80000000000000007654Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.511{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{eeadfb1d-9d7d-43eb-b065-bfa5a350894a}\0.2.filtertrie.intermediate.txt2020-12-07 17:20:53.511 11241100x80000000000000007653Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.511{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{eeadfb1d-9d7d-43eb-b065-bfa5a350894a}\0.1.filtertrie.intermediate.txt2020-12-07 17:20:53.511 11241100x80000000000000007652Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.495{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{eeadfb1d-9d7d-43eb-b065-bfa5a350894a}\0.0.filtertrie.intermediate.txt2020-12-07 17:20:53.495 11241100x80000000000000007651Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.464{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{2d7ac341-aeda-4e09-b357-9d73e3dadd7f}\appssynonyms.txt2016-04-15 08:09:24.000 10341000x80000000000000007650Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.464{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007649Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.464{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007648Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.448{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007647Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.448{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007646Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.448{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007645Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.448{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007644Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.448{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007643Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.448{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007642Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.448{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007641Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.448{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007640Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.433{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007639Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.433{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007638Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.433{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007637Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.433{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007636Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.433{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007635Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.433{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007634Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.433{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007633Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.433{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007632Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.401{B364217D-6461-5FCE-0000-001072CC0900}55125224C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+6468|C:\Windows\System32\SHCORE.dll+6437|C:\Windows\System32\SHCORE.dll+6327|C:\Windows\System32\SHCORE.dll+629d|C:\Windows\System32\SHCORE.dll+61aa|C:\Windows\System32\SHELL32.dll+46770|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8028B65C8D8)|UNKNOWN(FFFFB8A5FAFC21F8)|UNKNOWN(FFFFB8A5FAFC2377)|UNKNOWN(FFFFB8A5FAFBCA01)|UNKNOWN(FFFFB8A5FAFBE3CA)|UNKNOWN(FFFFB8A5FAFBC686)|UNKNOWN(FFFFF8028B373E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+49fdb|C:\Windows\System32\SHELL32.dll+10a26a|C:\Windows\System32\SHCORE.dll+2fedd 10341000x80000000000000007631Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.401{B364217D-6461-5FCE-0000-001072CC0900}55125224C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+6468|C:\Windows\System32\SHCORE.dll+124a5|C:\Windows\System32\SHELL32.dll+46251|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8028B65C8D8)|UNKNOWN(FFFFB8A5FAFC21F8)|UNKNOWN(FFFFB8A5FAFC2377)|UNKNOWN(FFFFB8A5FAFBCA01)|UNKNOWN(FFFFB8A5FAFBE3CA)|UNKNOWN(FFFFB8A5FAFBC686)|UNKNOWN(FFFFF8028B373E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+49fdb|C:\Windows\System32\SHELL32.dll+10a26a|C:\Windows\System32\SHCORE.dll+2fedd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007630Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.370{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{2d7ac341-aeda-4e09-b357-9d73e3dadd7f}\settingssynonyms.txt2020-12-07 17:20:53.370 11241100x80000000000000007629Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.370{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{2d7ac341-aeda-4e09-b357-9d73e3dadd7f}\appssynonyms.txt2020-12-07 17:20:53.370 11241100x80000000000000007628Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.370{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{2d7ac341-aeda-4e09-b357-9d73e3dadd7f}\settingsconversions.txt2020-12-07 17:20:53.370 11241100x80000000000000007627Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.370{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{2d7ac341-aeda-4e09-b357-9d73e3dadd7f}\appsconversions.txt2020-12-07 17:20:53.370 11241100x80000000000000007626Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.354{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{2d7ac341-aeda-4e09-b357-9d73e3dadd7f}\settingsglobals.txt2020-12-07 17:20:53.354 11241100x80000000000000007625Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.354{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{2d7ac341-aeda-4e09-b357-9d73e3dadd7f}\appsglobals.txt2020-12-07 17:20:53.354 10341000x80000000000000007624Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.339{B364217D-6461-5FCE-0000-001072CC0900}55125224C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+6468|C:\Windows\System32\SHCORE.dll+6437|C:\Windows\System32\SHCORE.dll+6327|C:\Windows\System32\SHCORE.dll+629d|C:\Windows\System32\SHCORE.dll+61aa|C:\Windows\System32\SHELL32.dll+46770|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8028B65C8D8)|UNKNOWN(FFFFB8A5FAFC21F8)|UNKNOWN(FFFFB8A5FAFC2377)|UNKNOWN(FFFFB8A5FAFBCA01)|UNKNOWN(FFFFB8A5FAFBE3CA)|UNKNOWN(FFFFB8A5FAFBC686)|UNKNOWN(FFFFF8028B373E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+49fdb|C:\Windows\System32\SHELL32.dll+10a26a|C:\Windows\System32\SHCORE.dll+2fedd 10341000x80000000000000007623Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.339{B364217D-6461-5FCE-0000-001072CC0900}55125224C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+6468|C:\Windows\System32\SHCORE.dll+124a5|C:\Windows\System32\SHELL32.dll+46251|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8028B65C8D8)|UNKNOWN(FFFFB8A5FAFC21F8)|UNKNOWN(FFFFB8A5FAFC2377)|UNKNOWN(FFFFB8A5FAFBCA01)|UNKNOWN(FFFFB8A5FAFBE3CA)|UNKNOWN(FFFFB8A5FAFBC686)|UNKNOWN(FFFFF8028B373E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+49fdb|C:\Windows\System32\SHELL32.dll+10a26a|C:\Windows\System32\SHCORE.dll+2fedd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007622Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.339{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132518352530323612.txt2020-12-07 17:20:53.323 10341000x80000000000000007621Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007620Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007619Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007618Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007617Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007616Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007615Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007614Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007613Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007612Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007611Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007610Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007609Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007608Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007607Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007606Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007605Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007604Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007603Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007602Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007601Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007600Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007599Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007598Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007597Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007596Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007595Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007594Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007593Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007592Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007591Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007590Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007589Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007588Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007587Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007586Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007585Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007584Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007583Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007582Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007581Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007580Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007579Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007578Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007577Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007576Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007575Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007574Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007573Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007572Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007571Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007570Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007569Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007568Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007567Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007566Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007565Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007564Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007563Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007562Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007561Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007560Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007559Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007558Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007557Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007556Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007555Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007554Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007553Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007552Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007551Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007550Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007549Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007548Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007547Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007546Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007545Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007544Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007543Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007542Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007541Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007540Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007539Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007538Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.292{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007537Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007536Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007535Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007534Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007533Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007532Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007531Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007530Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007529Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007528Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007527Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007526Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007525Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007524Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007523Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007522Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007521Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007520Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007519Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007518Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007517Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007516Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007515Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007514Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007513Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007512Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007511Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007510Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007509Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007508Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007507Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007506Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007505Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007504Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007503Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007502Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007501Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007500Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007499Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007498Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007497Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007496Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007495Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007494Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007493Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007492Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007491Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007490Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007489Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1382d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9 10341000x80000000000000007488Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007487Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007486Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11620|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007485Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007484Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007483Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007482Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007481Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007480Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007479Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007478Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007477Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007476Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007475Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007474Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007473Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007472Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007471Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007470Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007469Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007468Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007467Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007466Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007465Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007464Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007463Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007462Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007461Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1382d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9 10341000x80000000000000007460Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007459Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007458Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11620|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007457Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007456Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007455Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007454Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007453Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007452Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007451Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007450Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007449Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007448Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007447Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007446Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007445Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007444Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007443Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007442Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007441Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007440Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007439Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007438Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007437Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007436Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007435Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007434Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007433Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007432Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007431Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007430Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007429Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007428Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007427Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007426Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.276{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007425Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.261{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1382d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9 10341000x80000000000000007424Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.261{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007423Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.261{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007422Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.261{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11620|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007421Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.261{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007420Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.261{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007419Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.261{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007418Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.261{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007417Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.261{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1382d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9 10341000x80000000000000007416Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.261{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007415Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.261{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007414Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.261{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11620|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007413Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.261{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007412Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.261{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007411Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.261{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007410Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.261{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007409Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.261{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007408Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.261{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007407Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.261{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007406Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.261{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007405Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.261{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007404Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.261{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007403Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.261{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007402Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.261{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007401Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.261{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007400Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.261{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007399Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.261{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007398Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.261{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007397Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.261{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007396Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.261{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007395Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.261{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007394Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.261{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007393Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007392Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007391Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007390Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007389Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007388Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007387Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007386Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007385Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007384Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007383Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007382Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007381Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007380Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007379Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007378Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007377Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007376Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007375Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007374Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007373Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007372Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007371Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007370Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007369Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007368Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007367Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007366Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007365Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007364Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007363Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007362Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007361Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007360Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007359Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007358Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007357Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007356Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1382d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+180f1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10ec7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9 10341000x80000000000000007355Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+180f1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10ec7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007354Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+180f1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10ec7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007353Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-0010058A0900}18203264C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+180a8|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10ec7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007352Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007351Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007350Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007349Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007348Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-0010F2920900}10485364C:\Windows\system32\sihost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+6375|C:\Windows\System32\twinui.appcore.dll+470d|C:\Windows\System32\twinui.appcore.dll+3e1e|C:\Windows\system32\activationmanager.dll+79e9|C:\Windows\system32\activationmanager.dll+ac47|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000007347Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-0010F2920900}10485364C:\Windows\system32\sihost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+590b|C:\Windows\System32\twinui.appcore.dll+470d|C:\Windows\System32\twinui.appcore.dll+3e1e|C:\Windows\system32\activationmanager.dll+79e9|C:\Windows\system32\activationmanager.dll+ac47|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000007346Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-0010058A0900}18205404C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16dde|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16f72|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16e8f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1736c|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x80000000000000007345Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007344Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007343Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+625f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5dfa|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5ea2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5ff5|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e 10341000x80000000000000007342Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007341Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007340Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007339Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.245{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007338Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.229{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007337Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.214{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007336Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.214{B364217D-61FE-5FCE-0000-001037C40000}12042004C:\Windows\system32\svchost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007335Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.198{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007334Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.183{B364217D-6461-5FCE-0000-0010058A0900}18205404C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+5b70|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x80000000000000007333Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.183{B364217D-6461-5FCE-0000-0010058A0900}18205032C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\execmodelclient.dll+ff86|C:\Windows\System32\execmodelclient.dll+fe2c|C:\Windows\System32\execmodelclient.dll+1e7d9|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+5086c|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007332Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.183{B364217D-6461-5FCE-0000-0010058A0900}18205032C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\execmodelclient.dll+ff86|C:\Windows\System32\execmodelclient.dll+fea8|C:\Windows\System32\execmodelclient.dll+1e7bb|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+5086c|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x80000000000000007331Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.183{B364217D-6461-5FCE-0000-0010058A0900}18205404C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007330Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.183{B364217D-6461-5FCE-0000-0010058A0900}18205404C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x80000000000000007329Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.183{B364217D-6461-5FCE-0000-0010058A0900}18205032C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\execmodelclient.dll+79be|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000007328Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.183{B364217D-6461-5FCE-0000-0010058A0900}18205032C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\execmodelclient.dll+791a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000007327Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.183{B364217D-6461-5FCE-0000-0010058A0900}18205404C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+5b70|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x80000000000000007326Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.183{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007325Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.183{B364217D-6461-5FCE-0000-0010058A0900}18204308C:\Windows\System32\RuntimeBroker.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\TokenBroker.dll+1acfa|C:\Windows\System32\TokenBroker.dll+1d475|C:\Windows\System32\TokenBroker.dll+1d7f9|C:\Windows\System32\TokenBroker.dll+1e8f3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+5086c|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x80000000000000007324Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.183{B364217D-6461-5FCE-0000-0010058A0900}18204308C:\Windows\System32\RuntimeBroker.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\TokenBroker.dll+21886|C:\Windows\System32\TokenBroker.dll+1ac23|C:\Windows\System32\TokenBroker.dll+1d475|C:\Windows\System32\TokenBroker.dll+1d7f9|C:\Windows\System32\TokenBroker.dll+1e8f3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+5086c|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007323Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.183{B364217D-6461-5FCE-0000-0010058A0900}18205404C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000007322Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.183{B364217D-6461-5FCE-0000-0010058A0900}18205404C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x80000000000000007321Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.120{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007320Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.120{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007319Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.120{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007318Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.120{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007317Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.120{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007316Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.120{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007315Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.104{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007314Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.104{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007313Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.104{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007312Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.104{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007311Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.104{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007310Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.104{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007309Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.104{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+f4bf7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\combase.dll+5bf41|C:\Windows\System32\combase.dll+5b85d 10341000x80000000000000007308Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.104{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+f4bf7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\combase.dll+5bf41|C:\Windows\System32\combase.dll+5b85d 10341000x80000000000000007307Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.073{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007306Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.026{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007305Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.026{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007304Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.026{B364217D-6462-5FCE-0000-0010EAFF0900}56285656C:\Windows\System32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\appreadiness.dll+4dab3|c:\windows\system32\appreadiness.dll+c133|c:\windows\system32\appreadiness.dll+b234|c:\windows\system32\appreadiness.dll+c029|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000007303Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.026{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007302Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.026{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007301Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.011{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+18a6c|C:\Windows\SYSTEM32\psmserviceexthost.dll+e44e|C:\Windows\SYSTEM32\psmserviceexthost.dll+e4e7|C:\Windows\SYSTEM32\psmserviceexthost.dll+e1f2|C:\Windows\SYSTEM32\psmserviceexthost.dll+18e38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007300Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.011{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007299Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.011{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007298Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.011{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007297Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.011{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007296Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.011{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007295Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.011{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007294Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.011{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007293Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.011{B364217D-6462-5FCE-0000-0010EAFF0900}56285656C:\Windows\System32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\appreadiness.dll+4dab3|c:\windows\system32\appreadiness.dll+c133|c:\windows\system32\appreadiness.dll+b167|c:\windows\system32\appreadiness.dll+bfb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000007292Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.011{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007291Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.011{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007290Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.995{B364217D-6462-5FCE-0000-0010EAFF0900}56285668C:\Windows\System32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\appreadiness.dll+4dab3|c:\windows\system32\appreadiness.dll+c133|c:\windows\system32\appreadiness.dll+b234|c:\windows\system32\appreadiness.dll+c029|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000007289Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.995{B364217D-6462-5FCE-0000-0010EAFF0900}56285668C:\Windows\System32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\appreadiness.dll+4dab3|c:\windows\system32\appreadiness.dll+c133|c:\windows\system32\appreadiness.dll+b167|c:\windows\system32\appreadiness.dll+bfb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000007288Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.995{B364217D-6462-5FCE-0000-0010EAFF0900}56285656C:\Windows\System32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\appreadiness.dll+4dab3|c:\windows\system32\appreadiness.dll+c133|c:\windows\system32\appreadiness.dll+b234|c:\windows\system32\appreadiness.dll+b81e|c:\windows\system32\appreadiness.dll+b725|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c 10341000x80000000000000007287Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.995{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000007286Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.995{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000007285Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.995{B364217D-6461-5FCE-0000-0010F2920900}10485364C:\Windows\system32\sihost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+6375|C:\Windows\System32\twinui.appcore.dll+470d|C:\Windows\System32\twinui.appcore.dll+3e1e|C:\Windows\system32\activationmanager.dll+79e9|C:\Windows\system32\activationmanager.dll+ac47|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000007284Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.995{B364217D-6462-5FCE-0000-0010EAFF0900}56285656C:\Windows\System32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\appreadiness.dll+4dab3|c:\windows\system32\appreadiness.dll+c133|c:\windows\system32\appreadiness.dll+b167|c:\windows\system32\appreadiness.dll+b780|c:\windows\system32\appreadiness.dll+b725|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c 10341000x80000000000000007283Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.995{B364217D-6461-5FCE-0000-0010F2920900}10485364C:\Windows\system32\sihost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+590b|C:\Windows\System32\twinui.appcore.dll+470d|C:\Windows\System32\twinui.appcore.dll+3e1e|C:\Windows\system32\activationmanager.dll+79e9|C:\Windows\system32\activationmanager.dll+ac47|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000007282Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.995{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000007281Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.995{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000007280Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.995{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+f4bf7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x80000000000000007279Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.995{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+f4bf7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x80000000000000007278Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.995{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007277Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.995{B364217D-6461-5FCE-0000-001072CC0900}55125388C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007276Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.995{B364217D-6461-5FCE-0000-001072CC0900}55125388C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007275Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.995{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+f4bf7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x80000000000000007274Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:52.995{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+f4bf7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x80000000000000008245Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:54.886{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008244Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:54.870{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008243Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:54.870{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008242Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:54.870{B364217D-620D-5FCE-0000-001026C10200}31643532C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bc62|c:\windows\system32\tileobjserver.dll+26db2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000008241Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:54.870{B364217D-620D-5FCE-0000-001026C10200}31643532C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\tileobjserver.dll+bc0f|c:\windows\system32\tileobjserver.dll+26db2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x80000000000000008240Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:54.870{B364217D-620D-5FCE-0000-001026C10200}31643532C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bc62|c:\windows\system32\tileobjserver.dll+26f22|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000008239Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:54.870{B364217D-620D-5FCE-0000-001026C10200}31643532C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\tileobjserver.dll+bc0f|c:\windows\system32\tileobjserver.dll+26f22|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x80000000000000008238Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:54.870{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008237Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:54.870{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008236Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:54.870{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008235Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:54.870{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008234Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:54.870{B364217D-6461-5FCE-0000-001072CC0900}55125180C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\wpncore.dll+38cbd|C:\Windows\System32\wpncore.dll+3794e|C:\Windows\System32\wpncore.dll+230b3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 10341000x80000000000000008233Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:54.870{B364217D-6461-5FCE-0000-001072CC0900}55125180C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\wpncore.dll+38cbd|C:\Windows\System32\wpncore.dll+38c00|C:\Windows\System32\wpncore.dll+23077|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 10341000x80000000000000008232Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:54.870{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008231Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:54.870{B364217D-6461-5FCE-0000-001072CC0900}55125180C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\wpncore.dll+38cbd|C:\Windows\System32\wpncore.dll+3794e|C:\Windows\System32\wpncore.dll+230b3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 10341000x80000000000000008230Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:54.870{B364217D-6461-5FCE-0000-001072CC0900}55125180C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\wpncore.dll+38cbd|C:\Windows\System32\wpncore.dll+38c00|C:\Windows\System32\wpncore.dll+23077|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 10341000x80000000000000008229Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:54.870{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008228Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:54.870{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008227Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:54.870{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008226Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:54.870{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008225Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:54.870{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008224Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:54.807{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008223Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:54.807{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008222Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:54.761{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000008221Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:20:54.573{B364217D-61FE-5FCE-0000-001037C40000}1204C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6ccbd-0x51b566c1) 10341000x80000000000000008220Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:54.198{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008219Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:54.198{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008218Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:54.198{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008217Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:54.198{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008216Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:54.198{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008215Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:54.120{B364217D-6461-5FCE-0000-0010058A0900}18206432C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000008214Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:54.120{B364217D-6461-5FCE-0000-0010058A0900}18206432C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x80000000000000008213Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:54.120{B364217D-6461-5FCE-0000-0010058A0900}18206180C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+13c5d7|C:\Windows\System32\Windows.Storage.dll+13e363|C:\Windows\System32\Windows.Storage.dll+13c548|C:\Windows\System32\Windows.Storage.dll+13c40d|C:\Windows\System32\Windows.Storage.dll+73bac|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\Windows.Storage.dll+14735c 10341000x80000000000000008212Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:54.120{B364217D-6461-5FCE-0000-0010058A0900}18206180C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+60608|C:\Windows\System32\Windows.Storage.dll+13e344|C:\Windows\System32\Windows.Storage.dll+13c548|C:\Windows\System32\Windows.Storage.dll+13c40d|C:\Windows\System32\Windows.Storage.dll+73bac|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\Windows.Storage.dll+14735c 10341000x80000000000000008211Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:54.120{B364217D-6461-5FCE-0000-0010058A0900}18206180C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+13d57b|C:\Windows\System32\Windows.Storage.dll+13ccf5|C:\Windows\System32\Windows.Storage.dll+13cc5e|C:\Windows\System32\Windows.Storage.dll+13c3c6|C:\Windows\System32\Windows.Storage.dll+73bac|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\Windows.Storage.dll+14735c 10341000x80000000000000008210Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:54.104{B364217D-6461-5FCE-0000-0010058A0900}18206432C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+6411c|C:\Windows\System32\Windows.Storage.dll+13bb89|C:\Windows\System32\Windows.Storage.dll+13b9c4|C:\Windows\System32\Windows.Storage.dll+818c6|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x80000000000000008209Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:54.104{B364217D-6461-5FCE-0000-0010058A0900}18206180C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+13c0f0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\Windows.Storage.dll+14735c|C:\Windows\System32\Windows.Storage.dll+146cea|C:\Windows\System32\Windows.Storage.dll+1a6029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008208Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:54.104{B364217D-6461-5FCE-0000-0010058A0900}18206180C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+6430f|C:\Windows\System32\Windows.Storage.dll+62682|C:\Windows\System32\Windows.Storage.dll+62c78|C:\Windows\System32\Windows.Storage.dll+13a887|C:\Windows\System32\Windows.Storage.dll+13c0d5|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\Windows.Storage.dll+14735c 10341000x80000000000000008207Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:54.104{B364217D-6461-5FCE-0000-0010058A0900}18206180C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+63043|C:\Windows\System32\Windows.Storage.dll+13a985|C:\Windows\System32\Windows.Storage.dll+13a86d|C:\Windows\System32\Windows.Storage.dll+13c0d5|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\Windows.Storage.dll+14735c|C:\Windows\System32\Windows.Storage.dll+146cea 10341000x80000000000000008206Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:54.104{B364217D-6461-5FCE-0000-0010058A0900}18206432C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+6411c|C:\Windows\System32\Windows.Storage.dll+13bb89|C:\Windows\System32\Windows.Storage.dll+13b9c4|C:\Windows\System32\Windows.Storage.dll+818c6|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 11241100x80000000000000008205Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:54.104{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{1a3d0425-bda8-42bb-82b1-abfabfb73038}\0.2.filtertrie.intermediate.txt2020-12-07 17:20:54.104 11241100x80000000000000008204Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:54.104{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{1a3d0425-bda8-42bb-82b1-abfabfb73038}\0.1.filtertrie.intermediate.txt2020-12-07 17:20:54.104 11241100x80000000000000008203Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:54.089{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{1a3d0425-bda8-42bb-82b1-abfabfb73038}\0.0.filtertrie.intermediate.txt2020-12-07 17:20:54.089 11241100x80000000000000008202Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:54.057{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{2d7ac341-aeda-4e09-b357-9d73e3dadd7f}\appssynonyms.txt2016-04-15 08:09:24.000 10341000x80000000000000008201Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:54.011{B364217D-6461-5FCE-0000-001072CC0900}55125224C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+6468|C:\Windows\System32\SHCORE.dll+6437|C:\Windows\System32\SHCORE.dll+6327|C:\Windows\System32\SHCORE.dll+629d|C:\Windows\System32\SHCORE.dll+61aa|C:\Windows\System32\SHELL32.dll+46770|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8028B65C8D8)|UNKNOWN(FFFFB8A5FAFC21F8)|UNKNOWN(FFFFB8A5FAFC2377)|UNKNOWN(FFFFB8A5FAFBCA01)|UNKNOWN(FFFFB8A5FAFBE3CA)|UNKNOWN(FFFFB8A5FAFBC686)|UNKNOWN(FFFFF8028B373E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+49fdb|C:\Windows\System32\SHELL32.dll+10a26a|C:\Windows\System32\SHCORE.dll+2fedd 10341000x80000000000000008200Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:54.011{B364217D-6461-5FCE-0000-001072CC0900}55125224C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+6468|C:\Windows\System32\SHCORE.dll+124a5|C:\Windows\System32\SHELL32.dll+46251|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8028B65C8D8)|UNKNOWN(FFFFB8A5FAFC21F8)|UNKNOWN(FFFFB8A5FAFC2377)|UNKNOWN(FFFFB8A5FAFBCA01)|UNKNOWN(FFFFB8A5FAFBE3CA)|UNKNOWN(FFFFB8A5FAFBC686)|UNKNOWN(FFFFF8028B373E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+49fdb|C:\Windows\System32\SHELL32.dll+10a26a|C:\Windows\System32\SHCORE.dll+2fedd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008199Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:53.995{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132518352538924382.txt2020-12-07 17:20:53.995 10341000x80000000000000008255Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:55.979{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008254Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:55.729{B364217D-61FE-5FCE-0000-0010D5C80000}12481384C:\Windows\System32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\ncbservice.dll+86ee|c:\windows\system32\ncbservice.dll+6753|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008253Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:55.729{B364217D-61FE-5FCE-0000-0010D5C80000}12481384C:\Windows\System32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|c:\windows\system32\ncbservice.dll+86c0|c:\windows\system32\ncbservice.dll+6753|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008252Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:55.089{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008251Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:55.089{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008250Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:55.089{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008249Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:55.089{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008248Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:55.089{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008247Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:55.089{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008246Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:55.089{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008262Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:56.073{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008261Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:56.042{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008260Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:56.026{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008259Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:56.011{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008258Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:56.011{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008257Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:55.995{B364217D-6461-5FCE-0000-0010058A0900}18206432C:\Windows\System32\RuntimeBroker.exe{B364217D-6461-5FCE-0000-0010AF940900}4520C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\TokenBroker.dll+1acfa|C:\Windows\System32\TokenBroker.dll+1d475|C:\Windows\System32\TokenBroker.dll+1d7f9|C:\Windows\System32\TokenBroker.dll+1e8f3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+5086c|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x80000000000000008256Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:55.995{B364217D-6461-5FCE-0000-0010058A0900}18206432C:\Windows\System32\RuntimeBroker.exe{B364217D-6461-5FCE-0000-0010AF940900}4520C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\TokenBroker.dll+21886|C:\Windows\System32\TokenBroker.dll+1ac23|C:\Windows\System32\TokenBroker.dll+1d475|C:\Windows\System32\TokenBroker.dll+1d7f9|C:\Windows\System32\TokenBroker.dll+1e8f3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+5086c|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000008274Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:57.839{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6479-5FCE-0000-001077F40D00}6840C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008273Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:57.823{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6479-5FCE-0000-001077F40D00}6840C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008272Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:57.823{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6479-5FCE-0000-001077F40D00}6840C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008271Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:20:57.667{B364217D-6473-5FCE-0000-0010FAE80C00}4188C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\105c-0\System.Data.dll2020-12-07 17:20:57.667 10341000x80000000000000008270Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:57.573{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6479-5FCE-0000-0010BDEF0D00}6792C:\Windows\System32\mobsync.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008269Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:57.573{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6479-5FCE-0000-0010BDEF0D00}6792C:\Windows\System32\mobsync.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008268Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:57.557{B364217D-61FE-5FCE-0000-00102EBA0000}11362224C:\Windows\system32\svchost.exe{B364217D-6479-5FCE-0000-0010BDEF0D00}6792C:\Windows\System32\mobsync.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008267Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:57.557{B364217D-61FE-5FCE-0000-00102EBA0000}11361624C:\Windows\system32\svchost.exe{B364217D-6479-5FCE-0000-0010BDEF0D00}6792C:\Windows\System32\mobsync.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008266Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:57.557{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6479-5FCE-0000-0010BDEF0D00}6792C:\Windows\System32\mobsync.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008265Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:57.542{B364217D-645F-5FCE-0000-0010EA600800}42163868C:\Windows\system32\csrss.exe{B364217D-6479-5FCE-0000-0010BDEF0D00}6792C:\Windows\System32\mobsync.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008264Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:57.542{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6479-5FCE-0000-0010BDEF0D00}6792C:\Windows\System32\mobsync.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008263Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:57.542{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6479-5FCE-0000-0010BDEF0D00}6792C:\Windows\System32\mobsync.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008281Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:58.698{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008280Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:58.698{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008279Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:58.698{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000008278Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:58.698{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000008277Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:58.245{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-647A-5FCE-0000-001056F80D00}6884C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008276Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:58.245{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-647A-5FCE-0000-001056F80D00}6884C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008275Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:20:58.245{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-647A-5FCE-0000-001056F80D00}6884C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008288Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:00.932{B364217D-6463-5FCE-0000-001014400A00}59845988C:\Windows\system32\rundll32.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\shell32.dll+43c6e|C:\Windows\System32\shell32.dll+eef32|C:\Windows\system32\AppXDeploymentExtensions.OneCore.dll+5d18e|C:\Windows\system32\rundll32.exe+3b0c|C:\Windows\system32\rundll32.exe+6017|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008287Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:00.932{B364217D-6463-5FCE-0000-001014400A00}59845988C:\Windows\system32\rundll32.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\shell32.dll+43bd8|C:\Windows\System32\shell32.dll+eef32|C:\Windows\system32\AppXDeploymentExtensions.OneCore.dll+5d18e|C:\Windows\system32\rundll32.exe+3b0c|C:\Windows\system32\rundll32.exe+6017|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008286Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:00.932{B364217D-6463-5FCE-0000-001014400A00}59845988C:\Windows\system32\rundll32.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\shell32.dll+43bba|C:\Windows\System32\shell32.dll+eef32|C:\Windows\system32\AppXDeploymentExtensions.OneCore.dll+5d18e|C:\Windows\system32\rundll32.exe+3b0c|C:\Windows\system32\rundll32.exe+6017|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008285Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:00.932{B364217D-6463-5FCE-0000-001014400A00}59845988C:\Windows\system32\rundll32.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\shell32.dll+43bba|C:\Windows\System32\shell32.dll+eef32|C:\Windows\system32\AppXDeploymentExtensions.OneCore.dll+5d18e|C:\Windows\system32\rundll32.exe+3b0c|C:\Windows\system32\rundll32.exe+6017|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008284Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:00.932{B364217D-6463-5FCE-0000-001014400A00}59845988C:\Windows\system32\rundll32.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6437|C:\Windows\System32\shcore.dll+6327|C:\Windows\System32\shcore.dll+629d|C:\Windows\System32\shcore.dll+61aa|C:\Windows\System32\shell32.dll+d001a|C:\Windows\System32\shell32.dll+ef204|C:\Windows\System32\shell32.dll+eee58|C:\Windows\system32\AppXDeploymentExtensions.OneCore.dll+5d18e|C:\Windows\system32\rundll32.exe+3b0c|C:\Windows\system32\rundll32.exe+6017|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008283Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:00.932{B364217D-6463-5FCE-0000-001014400A00}59845988C:\Windows\system32\rundll32.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\shell32.dll+d0008|C:\Windows\System32\shell32.dll+ef204|C:\Windows\System32\shell32.dll+eee58|C:\Windows\system32\AppXDeploymentExtensions.OneCore.dll+5d18e|C:\Windows\system32\rundll32.exe+3b0c|C:\Windows\system32\rundll32.exe+6017|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008282Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:00.932{B364217D-6463-5FCE-0000-001014400A00}59845988C:\Windows\system32\rundll32.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\shell32.dll+d0008|C:\Windows\System32\shell32.dll+ef204|C:\Windows\System32\shell32.dll+eee58|C:\Windows\system32\AppXDeploymentExtensions.OneCore.dll+5d18e|C:\Windows\system32\rundll32.exe+3b0c|C:\Windows\system32\rundll32.exe+6017|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008300Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:01.776{B364217D-620D-5FCE-0000-001026C10200}31642996C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bc62|c:\windows\system32\tileobjserver.dll+26f22|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000008299Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:01.776{B364217D-620D-5FCE-0000-001026C10200}31642996C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\tileobjserver.dll+bc0f|c:\windows\system32\tileobjserver.dll+26f22|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x80000000000000008298Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:01.776{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008297Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:01.776{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008296Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:01.776{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000008295Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:01.776{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000008294Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:01.464{B364217D-61FE-5FCE-0000-00102EBA0000}11361232C:\Windows\system32\svchost.exe{B364217D-647D-5FCE-0000-00101D0A0E00}6976C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008293Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:01.464{B364217D-61FE-5FCE-0000-00102EBA0000}11361624C:\Windows\system32\svchost.exe{B364217D-647D-5FCE-0000-00101D0A0E00}6976C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008292Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:01.448{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-647D-5FCE-0000-00101D0A0E00}6976C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008291Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:01.448{B364217D-645F-5FCE-0000-0010EA600800}42163292C:\Windows\system32\csrss.exe{B364217D-647D-5FCE-0000-00101D0A0E00}6976C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008290Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:01.448{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-647D-5FCE-0000-00101D0A0E00}6976C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008289Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:01.448{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-647D-5FCE-0000-00101D0A0E00}6976C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000008348Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:21:04.885{B364217D-620D-5FCE-0000-001046BC0200}2932C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9D191D6C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9D191D6C-0000-0000-0000-100000000000.XML 13241300x80000000000000008347Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:21:04.870{B364217D-620D-5FCE-0000-001046BC0200}2932C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\538C2984-7B20-4C46-AAE9-2DA39386C4F2\Config SourceDWORD (0x00000001) 13241300x80000000000000008346Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:21:04.870{B364217D-620D-5FCE-0000-001046BC0200}2932C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\538C2984-7B20-4C46-AAE9-2DA39386C4F2\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_538C2984-7B20-4C46-AAE9-2DA39386C4F2.XML 10341000x80000000000000008345Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:04.713{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008344Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:04.713{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008343Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:04.713{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008342Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:04.713{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008341Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:04.713{B364217D-645F-5FCE-0000-0010EA600800}42163324C:\Windows\system32\csrss.exe{B364217D-6480-5FCE-0000-00103A3C0E00}4612C:\Windows\System32\ctfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008340Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:04.713{B364217D-6461-5FCE-0000-001072CC0900}55126660C:\Windows\Explorer.EXE{B364217D-6480-5FCE-0000-00103A3C0E00}4612C:\Windows\System32\ctfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+13755f|C:\Windows\System32\windows.storage.dll+1371d5|C:\Windows\System32\windows.storage.dll+136cc6|C:\Windows\System32\windows.storage.dll+138138|C:\Windows\System32\windows.storage.dll+136aee|C:\Windows\System32\windows.storage.dll+10a3b5|C:\Windows\System32\windows.storage.dll+10a734|C:\Windows\System32\windows.storage.dll+109d70|C:\Windows\System32\windows.storage.dll+1241fa|C:\Windows\System32\windows.storage.dll+123f5a|C:\Windows\System32\SHELL32.dll+77991|C:\Windows\System32\SHELL32.dll+767f6|C:\Windows\System32\SHELL32.dll+110821|C:\Windows\System32\SHELL32.dll+7888e|C:\Windows\Explorer.EXE+118eb|C:\Windows\Explorer.EXE+1163f|C:\Windows\Explorer.EXE+12610|C:\Windows\Explorer.EXE+134aa|C:\Windows\Explorer.EXE+129be|C:\Windows\Explorer.EXE+126a3 154100x80000000000000008339Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:04.720{B364217D-6480-5FCE-0000-00103A3C0E00}4612C:\Windows\System32\ctfmon.exe10.0.14393.0 (rs1_release.160715-1616)CTF LoaderMicrosoft® Windows® Operating SystemMicrosoft CorporationCTFMON.EXE"C:\Windows\System32\ctfmon.exe" /nC:\Windows\system32\ATTACKRANGE\Administrator{B364217D-6460-5FCE-0000-0020BD420900}0x942bd2HighMD5=BB38581A13B7265CF4E62741955E7457,SHA256=103C028F6ED13FDF916B0B15138BDFE66CAC0D667D735D853FC8E45341FE8A3A,IMPHASH=C799FE056F8DF24A5E47C4D509C9D61C{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 12241200x80000000000000008338Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localT1060,RunKeyDeleteValue2020-12-07 17:21:04.713{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXEHKU\S-1-5-21-2034510999-1345200767-2897500970-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce\ctfmon.exe 10341000x80000000000000008337Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:04.573{B364217D-61FE-5FCE-0000-00102EBA0000}11364888C:\Windows\system32\svchost.exe{B364217D-6480-5FCE-0000-0010F8260E00}7108C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008336Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:04.573{B364217D-61FE-5FCE-0000-00102EBA0000}11361624C:\Windows\system32\svchost.exe{B364217D-6480-5FCE-0000-0010F8260E00}7108C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008335Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:04.526{B364217D-61FC-5FCE-0000-001019540000}8564172C:\Windows\system32\lsass.exe{B364217D-6480-5FCE-0000-0010F8260E00}7108C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008334Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:04.526{B364217D-61FC-5FCE-0000-001019540000}8564172C:\Windows\system32\lsass.exe{B364217D-6480-5FCE-0000-0010F8260E00}7108C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008333Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:04.448{B364217D-6480-5FCE-0000-0010F8260E00}7108C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_wr2znyr5.hjy.ps12020-12-07 17:21:04.448 10341000x80000000000000008332Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:04.432{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-6480-5FCE-0000-0010F8260E00}7108C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008331Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:04.401{B364217D-6480-5FCE-0000-00103B230E00}70647084C:\Windows\system32\conhost.exe{B364217D-6480-5FCE-0000-0010F8260E00}7108C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008330Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:04.401{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008329Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:04.401{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008328Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:04.401{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008327Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:04.401{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008326Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:04.401{B364217D-645F-5FCE-0000-0010EA600800}42163324C:\Windows\system32\csrss.exe{B364217D-6480-5FCE-0000-0010F8260E00}7108C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008325Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:04.401{B364217D-6480-5FCE-0000-0010BE220E00}70567060C:\Windows\system32\cmd.exe{B364217D-6480-5FCE-0000-0010F8260E00}7108C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000008324Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:04.412{B364217D-6480-5FCE-0000-0010F8260E00}7108C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive -NoLogo -WindowStyle hidden -ExecutionPolicy Unrestricted "Import-Module "C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Ec2Launch.psd1"; Set-Wallpaper -Initial" C:\Windows\system32\ATTACKRANGE\Administrator{B364217D-6460-5FCE-0000-0020BD420900}0x942bd2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{B364217D-6480-5FCE-0000-0010BE220E00}7056C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetupInit.cmd" " 10341000x80000000000000008323Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:04.385{B364217D-6461-5FCE-0000-001072CC0900}55125940C:\Windows\Explorer.EXE{B364217D-6480-5FCE-0000-0010BE220E00}7056C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+514bf|C:\Windows\System32\SHELL32.dll+52065|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008322Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:04.385{B364217D-6461-5FCE-0000-001072CC0900}55125940C:\Windows\Explorer.EXE{B364217D-6480-5FCE-0000-0010BE220E00}7056C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+51f7e|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008321Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:04.385{B364217D-6461-5FCE-0000-001072CC0900}55125940C:\Windows\Explorer.EXE{B364217D-6480-5FCE-0000-0010BE220E00}7056C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008320Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:04.385{B364217D-6461-5FCE-0000-0010D0970900}31525316C:\Windows\system32\taskhostw.exe{B364217D-6480-5FCE-0000-00103B230E00}7064C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008319Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:04.385{B364217D-6461-5FCE-0000-001072CC0900}55125332C:\Windows\Explorer.EXE{B364217D-6480-5FCE-0000-0010BE220E00}7056C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+514bf|C:\Windows\System32\SHELL32.dll+52065|C:\Windows\Explorer.EXE+2fd1a|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008318Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:04.385{B364217D-6461-5FCE-0000-001072CC0900}55125332C:\Windows\Explorer.EXE{B364217D-6480-5FCE-0000-0010BE220E00}7056C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+51f7e|C:\Windows\Explorer.EXE+2fd1a|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008317Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:04.385{B364217D-6461-5FCE-0000-001072CC0900}55125332C:\Windows\Explorer.EXE{B364217D-6480-5FCE-0000-0010BE220E00}7056C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+2fd1a|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008316Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:04.385{B364217D-6461-5FCE-0000-001072CC0900}55125332C:\Windows\Explorer.EXE{B364217D-6480-5FCE-0000-0010BE220E00}7056C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+3007c|C:\Windows\Explorer.EXE+30028|C:\Windows\Explorer.EXE+2fccc|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008315Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:04.385{B364217D-6461-5FCE-0000-001072CC0900}55124740C:\Windows\Explorer.EXE{B364217D-6480-5FCE-0000-00103B230E00}7064C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+514bf|C:\Windows\System32\SHELL32.dll+519e0|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008314Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:04.385{B364217D-6461-5FCE-0000-001072CC0900}55124740C:\Windows\Explorer.EXE{B364217D-6480-5FCE-0000-00103B230E00}7064C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e75c0|C:\Windows\System32\SHELL32.dll+5199c|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008313Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:04.385{B364217D-6461-5FCE-0000-001072CC0900}55124740C:\Windows\Explorer.EXE{B364217D-6480-5FCE-0000-00103B230E00}7064C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51970|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008312Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:04.385{B364217D-6461-5FCE-0000-001072CC0900}55124740C:\Windows\Explorer.EXE{B364217D-6480-5FCE-0000-00103B230E00}7064C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+144dd9|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008311Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:04.370{B364217D-61FE-5FCE-0000-00102EBA0000}11364888C:\Windows\system32\svchost.exe{B364217D-6480-5FCE-0000-00103B230E00}7064C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008310Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:04.370{B364217D-61FE-5FCE-0000-00102EBA0000}11361624C:\Windows\system32\svchost.exe{B364217D-6480-5FCE-0000-00103B230E00}7064C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008309Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:04.370{B364217D-6480-5FCE-0000-00103B230E00}70647084C:\Windows\system32\conhost.exe{B364217D-6480-5FCE-0000-0010BE220E00}7056C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008308Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:04.370{B364217D-645F-5FCE-0000-0010EA600800}42163292C:\Windows\system32\csrss.exe{B364217D-6480-5FCE-0000-00103B230E00}7064C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008307Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:04.370{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008306Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:04.370{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008305Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:04.370{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008304Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:04.370{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008303Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:04.370{B364217D-645F-5FCE-0000-0010EA600800}42163324C:\Windows\system32\csrss.exe{B364217D-6480-5FCE-0000-0010BE220E00}7056C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008302Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:04.370{B364217D-6461-5FCE-0000-001072CC0900}55126660C:\Windows\Explorer.EXE{B364217D-6480-5FCE-0000-0010BE220E00}7056C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+13755f|C:\Windows\System32\windows.storage.dll+1371d5|C:\Windows\System32\windows.storage.dll+136cc6|C:\Windows\System32\windows.storage.dll+138138|C:\Windows\System32\windows.storage.dll+136aee|C:\Windows\System32\windows.storage.dll+10a3b5|C:\Windows\System32\windows.storage.dll+10a734|C:\Windows\System32\windows.storage.dll+109d70|C:\Windows\System32\windows.storage.dll+1241fa|C:\Windows\System32\windows.storage.dll+123f5a|C:\Windows\System32\SHELL32.dll+77991|C:\Windows\System32\SHELL32.dll+767f6|C:\Windows\System32\SHELL32.dll+110821|C:\Windows\System32\SHELL32.dll+7888e|C:\Windows\Explorer.EXE+91016|C:\Windows\Explorer.EXE+10b9b|C:\Windows\Explorer.EXE+10a0e|C:\Windows\Explorer.EXE+e972|C:\Windows\System32\SHCORE.dll+2fedd|C:\Windows\System32\KERNEL32.DLL+84d4 154100x80000000000000008301Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:04.370{B364217D-6480-5FCE-0000-0010BE220E00}7056C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetupInit.cmd" "C:\Windows\system32\ATTACKRANGE\Administrator{B364217D-6460-5FCE-0000-0020BD420900}0x942bd2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 354300x80000000000000008349Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:04.681{B364217D-6480-5FCE-0000-0010F8260E00}7108C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-692.attackrange.local64293false93.184.220.2980http 10341000x80000000000000008357Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:07.932{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6483-5FCE-0000-0010A7910E00}6932C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008356Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:07.932{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6483-5FCE-0000-0010A7910E00}6932C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008355Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:07.932{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6483-5FCE-0000-0010A7910E00}6932C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008354Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:07.885{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000008353Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:07.885{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000008352Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:07.885{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000008351Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:07.885{B364217D-6461-5FCE-0000-0010F2920900}10486048C:\Windows\system32\sihost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+23f30|C:\Windows\System32\modernexecserver.dll+43e70|C:\Windows\System32\modernexecserver.dll+3102d|C:\Windows\System32\modernexecserver.dll+30d24|C:\Windows\System32\modernexecserver.dll+17072|C:\Windows\System32\modernexecserver.dll+1d5d7|C:\Windows\SYSTEM32\ntdll.dll+3a950|C:\Windows\SYSTEM32\ntdll.dll+1e86f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008350Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:21:07.698{B364217D-647A-5FCE-0000-001056F80D00}6884C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1ae4-0\System.Windows.Forms.dll2020-12-07 17:21:07.698 10341000x80000000000000008373Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:08.901{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6484-5FCE-0000-00102DA50E00}648C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008372Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:08.901{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6484-5FCE-0000-00102DA50E00}648C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008371Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:08.901{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6484-5FCE-0000-00102DA50E00}648C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008370Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:08.854{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6463-5FCE-0000-001014400A00}5984C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008369Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:08.854{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6463-5FCE-0000-001014400A00}5984C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008368Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:08.854{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6463-5FCE-0000-001014400A00}5984C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008367Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:21:08.792{B364217D-6484-5FCE-0000-00105A950E00}6576C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\19b0-0\System.Runtime.Remoting.dll2020-12-07 17:21:08.792 10341000x80000000000000008366Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:08.776{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000008365Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:08.776{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000008364Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:08.776{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000008363Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:08.776{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000008362Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:08.776{B364217D-61FE-5FCE-0000-0010E0650000}6041100C:\Windows\system32\svchost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000008361Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:08.776{B364217D-6461-5FCE-0000-0010F2920900}10486048C:\Windows\system32\sihost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+1a0fc|C:\Windows\System32\modernexecserver.dll+1a09f|C:\Windows\System32\modernexecserver.dll+198f6|C:\Windows\System32\modernexecserver.dll+2c9d4|C:\Windows\System32\modernexecserver.dll+35efd|C:\Windows\System32\modernexecserver.dll+4d3a1|C:\Windows\System32\modernexecserver.dll+4d2bf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008360Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:08.167{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6484-5FCE-0000-00105A950E00}6576C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008359Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:08.167{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6484-5FCE-0000-00105A950E00}6576C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008358Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:08.167{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6484-5FCE-0000-00105A950E00}6576C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008403Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:21:09.604{B364217D-6485-5FCE-0000-0010DDBE0E00}6760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\xqltsnxj\xqltsnxj.dll2020-12-07 17:21:09.292 10341000x80000000000000008402Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:09.542{B364217D-6480-5FCE-0000-00103B230E00}70647084C:\Windows\system32\conhost.exe{B364217D-6485-5FCE-0000-00104CC20E00}6780C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008401Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:09.542{B364217D-645F-5FCE-0000-0010EA600800}42163324C:\Windows\system32\csrss.exe{B364217D-6485-5FCE-0000-00104CC20E00}6780C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008400Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:09.542{B364217D-6485-5FCE-0000-0010DDBE0E00}67606764C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{B364217D-6485-5FCE-0000-00104CC20E00}6780C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008399Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:09.542{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008398Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:09.542{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008397Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:09.542{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008396Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:09.542{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000008395Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:09.544{B364217D-6485-5FCE-0000-00104CC20E00}6780C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RESF.tmp" "c:\Users\Administrator\AppData\Local\Temp\xqltsnxj\CSCBEFAE5C85CCB475598F84AFD5EC490C9.TMP"C:\Windows\system32\ATTACKRANGE\Administrator{B364217D-6460-5FCE-0000-0020BD420900}0x942bd2HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{B364217D-6485-5FCE-0000-0010DDBE0E00}6760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\xqltsnxj\xqltsnxj.cmdline" 10341000x80000000000000008394Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:09.323{B364217D-6480-5FCE-0000-00103B230E00}70647084C:\Windows\system32\conhost.exe{B364217D-6485-5FCE-0000-0010DDBE0E00}6760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008393Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:09.323{B364217D-645F-5FCE-0000-0010EA600800}42163292C:\Windows\system32\csrss.exe{B364217D-6485-5FCE-0000-0010DDBE0E00}6760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008392Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:09.323{B364217D-6480-5FCE-0000-0010F8260E00}71083268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{B364217D-6485-5FCE-0000-0010DDBE0E00}6760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c242b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c18d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\fec023c8de0ed58c816cd442e3b4ddfe\Microsoft.PowerShell.Commands.Utility.ni.dll+ffffd900(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\fec023c8de0ed58c816cd442e3b4ddfe\Microsoft.PowerShell.Commands.Utility.ni.dll+ffffd900(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3a557354(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3a53312d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3a532dfe(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3afe46e3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3a4f3994(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3a551e63(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3a5354c8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3a5354c8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3a535641(wow64)|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+46fc1 10341000x80000000000000008391Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:09.323{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008390Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:09.323{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008389Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:09.323{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008388Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:09.323{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000008387Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:09.299{B364217D-6485-5FCE-0000-0010DDBE0E00}6760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\xqltsnxj\xqltsnxj.cmdline"C:\Windows\system32\ATTACKRANGE\Administrator{B364217D-6460-5FCE-0000-0020BD420900}0x942bd2HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{B364217D-6480-5FCE-0000-0010F8260E00}7108C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive -NoLogo -WindowStyle hidden -ExecutionPolicy Unrestricted "Import-Module "C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Ec2Launch.psd1"; Set-Wallpaper -Initial" 11241100x80000000000000008386Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:09.292{B364217D-6480-5FCE-0000-0010F8260E00}7108C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\xqltsnxj\xqltsnxj.cmdline2020-12-07 17:21:09.292 11241100x80000000000000008385Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:21:09.292{B364217D-6480-5FCE-0000-0010F8260E00}7108C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\xqltsnxj\xqltsnxj.dll2020-12-07 17:21:09.292 10341000x80000000000000008384Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:09.245{B364217D-6461-5FCE-0000-0010F2920900}10486048C:\Windows\system32\sihost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+23f30|C:\Windows\System32\modernexecserver.dll+43e70|C:\Windows\System32\modernexecserver.dll+3102d|C:\Windows\System32\modernexecserver.dll+30d24|C:\Windows\System32\modernexecserver.dll+17072|C:\Windows\System32\modernexecserver.dll+1d5d7|C:\Windows\SYSTEM32\ntdll.dll+3a950|C:\Windows\SYSTEM32\ntdll.dll+1e86f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008383Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:09.198{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6485-5FCE-0000-001039BB0E00}6692C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008382Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:09.182{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6485-5FCE-0000-001039BB0E00}6692C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008381Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:09.182{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6485-5FCE-0000-001039BB0E00}6692C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008380Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:09.135{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008379Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:09.135{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008378Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:09.135{B364217D-61FC-5FCE-0000-001019540000}8564172C:\Windows\system32\lsass.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008377Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:09.104{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6485-5FCE-0000-00103BB30E00}7068C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008376Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:09.088{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6485-5FCE-0000-00103BB30E00}7068C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008375Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:09.088{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6485-5FCE-0000-00103BB30E00}7068C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008374Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:21:09.042{B364217D-6484-5FCE-0000-00102DA50E00}648C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\288-0\System.ServiceProcess.dll2020-12-07 17:21:09.042 10341000x80000000000000008419Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:10.479{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6486-5FCE-0000-001072D10E00}6912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008418Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:10.479{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6486-5FCE-0000-001072D10E00}6912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008417Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:10.479{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6486-5FCE-0000-001072D10E00}6912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008416Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:10.292{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6486-5FCE-0000-001050CD0E00}6828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008415Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:10.292{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6486-5FCE-0000-001050CD0E00}6828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008414Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:10.292{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6486-5FCE-0000-001050CD0E00}6828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008413Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:21:10.229{B364217D-6486-5FCE-0000-0010FFC90E00}6992C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1b50-0\Accessibility.dll2020-12-07 17:21:10.229 10341000x80000000000000008412Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:10.182{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6486-5FCE-0000-0010FFC90E00}6992C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008411Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:10.182{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6486-5FCE-0000-0010FFC90E00}6992C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008410Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:10.167{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6486-5FCE-0000-0010FFC90E00}6992C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008409Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:10.167{B364217D-61FE-5FCE-0000-001037C40000}12042004C:\Windows\system32\svchost.exe{B364217D-6480-5FCE-0000-0010F8260E00}7108C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008408Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:10.167{B364217D-61FE-5FCE-0000-001037C40000}12042004C:\Windows\system32\svchost.exe{B364217D-6480-5FCE-0000-0010F8260E00}7108C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008407Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:10.151{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6486-5FCE-0000-0010D4C60E00}2512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008406Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:10.135{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6486-5FCE-0000-0010D4C60E00}2512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008405Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:10.135{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6486-5FCE-0000-0010D4C60E00}2512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008404Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:21:10.073{B364217D-6485-5FCE-0000-001039BB0E00}6692C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1a24-0\System.Management.dll2020-12-07 17:21:10.073 11241100x80000000000000008440Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:21:11.932{B364217D-6486-5FCE-0000-001072D10E00}6912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1b00-0\Microsoft.VisualBasic.dll2020-12-07 17:21:11.932 354300x80000000000000008439Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:09.869{B364217D-6480-5FCE-0000-0010F8260E00}7108C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-692.attackrange.local64299false169.254.169.25480http 354300x80000000000000008438Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:09.848{B364217D-6480-5FCE-0000-0010F8260E00}7108C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-692.attackrange.local64298false169.254.169.25480http 10341000x80000000000000008437Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:11.620{B364217D-6480-5FCE-0000-00103B230E00}70647084C:\Windows\system32\conhost.exe{B364217D-6487-5FCE-0000-001066DC0E00}5540C:\Windows\system32\findstr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008436Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:11.604{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008435Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:11.604{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008434Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:11.604{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008433Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:11.604{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008432Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:11.604{B364217D-645F-5FCE-0000-0010EA600800}42163324C:\Windows\system32\csrss.exe{B364217D-6487-5FCE-0000-001066DC0E00}5540C:\Windows\system32\findstr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008431Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:11.604{B364217D-6480-5FCE-0000-0010BE220E00}70567060C:\Windows\system32\cmd.exe{B364217D-6487-5FCE-0000-001066DC0E00}5540C:\Windows\system32\findstr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+c3f6|C:\Windows\system32\cmd.exe+4917|C:\Windows\system32\cmd.exe+c378|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000008430Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:11.617{B364217D-6487-5FCE-0000-001066DC0E00}5540C:\Windows\System32\findstr.exe10.0.14393.0 (rs1_release.160715-1616)Find String (QGREP) UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationFINDSTR.EXEfindstr /v DELETEME C:\Windows\system32\ATTACKRANGE\Administrator{B364217D-6460-5FCE-0000-0020BD420900}0x942bd2HighMD5=15B171EC73E7B71F4EBB4247E716271E,SHA256=2956F7BC863498DFCC868CE7DF4C9C131A4A5C17B065658456AFEF7566ACE1EE,IMPHASH=D7962312082AAB17974D6817E09E5D7A{B364217D-6480-5FCE-0000-0010BE220E00}7056C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetupInit.cmd" " 10341000x80000000000000008429Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:11.604{B364217D-6480-5FCE-0000-00103B230E00}70647084C:\Windows\system32\conhost.exe{B364217D-6487-5FCE-0000-0010BEDB0E00}6092C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008428Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localT10232020-12-07 17:21:11.604{B364217D-6480-5FCE-0000-0010BE220E00}7056C:\Windows\system32\cmd.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetup.cmd2020-12-07 17:21:11.604 10341000x80000000000000008427Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:11.604{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008426Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:11.604{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008425Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:11.604{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008424Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:11.604{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008423Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:11.604{B364217D-645F-5FCE-0000-0010EA600800}42163324C:\Windows\system32\csrss.exe{B364217D-6487-5FCE-0000-0010BEDB0E00}6092C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008422Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:11.604{B364217D-6480-5FCE-0000-0010BE220E00}70567060C:\Windows\system32\cmd.exe{B364217D-6487-5FCE-0000-0010BEDB0E00}6092C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+c3f6|C:\Windows\system32\cmd.exe+484b|C:\Windows\system32\cmd.exe+c378|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000008421Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:11.613{B364217D-6487-5FCE-0000-0010BEDB0E00}6092C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetupInit.cmd" "C:\Windows\system32\ATTACKRANGE\Administrator{B364217D-6460-5FCE-0000-0020BD420900}0x942bd2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B364217D-6480-5FCE-0000-0010BE220E00}7056C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetupInit.cmd" " 10341000x80000000000000008420Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:11.307{B364217D-61FE-5FCE-0000-001037C40000}12042004C:\Windows\system32\svchost.exe{B364217D-6480-5FCE-0000-0010F8260E00}7108C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008452Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:12.979{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6488-5FCE-0000-00101BEF0E00}6336C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008451Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:12.979{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6488-5FCE-0000-00101BEF0E00}6336C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008450Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:21:12.916{B364217D-6488-5FCE-0000-0010DDEA0E00}6280C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1888-0\System.DirectoryServices.dll2020-12-07 17:21:12.916 10341000x80000000000000008449Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:12.104{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6488-5FCE-0000-0010DDEA0E00}6280C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008448Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:12.104{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6488-5FCE-0000-0010DDEA0E00}6280C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008447Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:12.104{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6488-5FCE-0000-0010DDEA0E00}6280C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008446Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:12.057{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6488-5FCE-0000-0010ABE70E00}5456C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008445Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:12.057{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6488-5FCE-0000-0010ABE70E00}5456C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008444Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:12.057{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6488-5FCE-0000-0010ABE70E00}5456C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008443Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:12.010{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6488-5FCE-0000-001057E40E00}5544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008442Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:12.010{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6488-5FCE-0000-001057E40E00}5544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008441Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:12.010{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6488-5FCE-0000-001057E40E00}5544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008463Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:13.885{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6489-5FCE-0000-00101FFA0E00}4304C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008462Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:13.870{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6489-5FCE-0000-00101FFA0E00}4304C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008461Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:13.870{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6489-5FCE-0000-00101FFA0E00}4304C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008460Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:13.620{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6489-5FCE-0000-00104CF60E00}6960C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008459Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:13.604{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6489-5FCE-0000-00104CF60E00}6960C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008458Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:13.604{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6489-5FCE-0000-00104CF60E00}6960C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008457Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:21:13.541{B364217D-6489-5FCE-0000-00106BF20E00}6340C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\18c4-0\System.Transactions.dll2020-12-07 17:21:13.541 10341000x80000000000000008456Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:13.041{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6489-5FCE-0000-00106BF20E00}6340C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008455Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:13.041{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6489-5FCE-0000-00106BF20E00}6340C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008454Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:13.041{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6489-5FCE-0000-00106BF20E00}6340C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008453Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:12.995{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6488-5FCE-0000-00101BEF0E00}6336C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008484Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:15.823{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-648B-5FCE-0000-001040100F00}2512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008483Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:15.807{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6486-5FCE-0000-0010D4C60E00}2512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008482Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:15.807{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6486-5FCE-0000-0010D4C60E00}2512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008481Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:15.745{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6485-5FCE-0000-001039BB0E00}6692C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008480Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:15.745{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6485-5FCE-0000-001039BB0E00}6692C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008479Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:15.745{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6485-5FCE-0000-001039BB0E00}6692C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008478Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:21:15.682{B364217D-648B-5FCE-0000-001080080F00}6852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1ac4-0\System.Configuration.Install.dll2020-12-07 17:21:15.682 10341000x80000000000000008477Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:15.541{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-648B-5FCE-0000-001080080F00}6852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008476Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:15.541{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-648B-5FCE-0000-001080080F00}6852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008475Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:15.541{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-648B-5FCE-0000-001080080F00}6852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008474Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:15.463{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6485-5FCE-0000-0010DDBE0E00}6760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008473Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:15.463{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6485-5FCE-0000-0010DDBE0E00}6760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008472Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:15.463{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6485-5FCE-0000-0010DDBE0E00}6760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008471Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:21:15.401{B364217D-648B-5FCE-0000-0010D7010F00}6748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1a5c-0\CustomMarshalers.dll2020-12-07 17:21:15.401 10341000x80000000000000008470Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:15.307{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-648B-5FCE-0000-0010D7010F00}6748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008469Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:15.307{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-648B-5FCE-0000-0010D7010F00}6748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008468Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:15.307{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-648B-5FCE-0000-0010D7010F00}6748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008467Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:15.276{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-648B-5FCE-0000-0010C5FE0E00}6660C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008466Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:15.260{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-648B-5FCE-0000-0010C5FE0E00}6660C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008465Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:15.260{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-648B-5FCE-0000-0010C5FE0E00}6660C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008464Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:21:15.182{B364217D-6489-5FCE-0000-00101FFA0E00}4304C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\10d0-0\System.Web.Services.dll2020-12-07 17:21:15.182 10341000x80000000000000008491Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:17.479{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-648D-5FCE-0000-00100E180F00}6584C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008490Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:17.479{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-648D-5FCE-0000-00100E180F00}6584C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008489Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:17.479{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-648D-5FCE-0000-00100E180F00}6584C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008488Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:17.307{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6479-5FCE-0000-0010BDEF0D00}6792C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008487Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:17.307{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6479-5FCE-0000-0010BDEF0D00}6792C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008486Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:17.307{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6479-5FCE-0000-0010BDEF0D00}6792C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008485Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:21:17.213{B364217D-648B-5FCE-0000-001040100F00}2512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\9d0-0\System.Xaml.dll2020-12-07 17:21:17.213 10341000x80000000000000008499Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:18.713{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-648E-5FCE-0000-0010DE1C0F00}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008498Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:18.713{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008497Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:18.713{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008496Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:18.713{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008495Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:18.713{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008494Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:18.713{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-648E-5FCE-0000-0010DE1C0F00}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008493Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:18.713{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-648E-5FCE-0000-0010DE1C0F00}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000008492Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:18.714{B364217D-648E-5FCE-0000-0010DE1C0F00}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000008508Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:19.541{B364217D-648F-5FCE-0000-0010EE1E0F00}30166168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008507Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:19.385{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-648F-5FCE-0000-0010EE1E0F00}3016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008506Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:19.385{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008505Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:19.385{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008504Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:19.385{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008503Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:19.385{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008502Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:19.385{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-648F-5FCE-0000-0010EE1E0F00}3016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008501Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:19.385{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-648F-5FCE-0000-0010EE1E0F00}3016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000008500Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:19.386{B364217D-648F-5FCE-0000-0010EE1E0F00}3016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000008523Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:20.776{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6490-5FCE-0000-00103B260F00}7072C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008522Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:20.776{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6490-5FCE-0000-00103B260F00}7072C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008521Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:20.776{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6490-5FCE-0000-00103B260F00}7072C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008520Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:20.635{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6490-5FCE-0000-0010C7220F00}6516C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008519Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:20.635{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6490-5FCE-0000-0010C7220F00}6516C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008518Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:20.635{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6490-5FCE-0000-0010C7220F00}6516C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008517Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:21:20.526{B364217D-648D-5FCE-0000-00100E180F00}6584C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\19b8-0\WindowsBase.dll2020-12-07 17:21:20.526 10341000x80000000000000008516Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:20.057{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-6480-5FCE-0000-0010F8260E00}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008515Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:20.057{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008514Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:20.057{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008513Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:20.057{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008512Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:20.057{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008511Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:20.057{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6480-5FCE-0000-0010F8260E00}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008510Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:20.057{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-6480-5FCE-0000-0010F8260E00}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000008509Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:20.058{B364217D-6490-5FCE-0000-0010B1200F00}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000008543Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:21.885{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6491-5FCE-0000-0010EB320F00}6352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008542Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:21.885{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6491-5FCE-0000-0010EB320F00}6352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008541Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:21.885{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6491-5FCE-0000-0010EB320F00}6352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008540Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:21:21.823{B364217D-6491-5FCE-0000-00101D2F0F00}6248C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1868-0\System.Xml.Linq.dll2020-12-07 17:21:21.823 10341000x80000000000000008539Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:21.448{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6491-5FCE-0000-00101D2F0F00}6248C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008538Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:21.432{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6491-5FCE-0000-00101D2F0F00}6248C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008537Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:21.432{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6491-5FCE-0000-00101D2F0F00}6248C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008536Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:21.354{B364217D-6491-5FCE-0000-001097290F00}44526532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008535Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:21.291{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6491-5FCE-0000-0010722B0F00}6528C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008534Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:21.276{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6491-5FCE-0000-0010722B0F00}6528C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008533Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:21.276{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6491-5FCE-0000-0010722B0F00}6528C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008532Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:21:21.229{B364217D-6490-5FCE-0000-00103B260F00}7072C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1ba0-0\System.Net.Http.dll2020-12-07 17:21:21.229 10341000x80000000000000008531Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:21.198{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-6491-5FCE-0000-001097290F00}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008530Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:21.198{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008529Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:21.198{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008528Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:21.198{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008527Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:21.198{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008526Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:21.198{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6491-5FCE-0000-001097290F00}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008525Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:21.198{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-6491-5FCE-0000-001097290F00}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000008524Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:21.199{B364217D-6491-5FCE-0000-001097290F00}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000008578Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:22.979{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6492-5FCE-0000-00109A480F00}7068C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008577Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:22.963{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6485-5FCE-0000-00103BB30E00}7068C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008576Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:22.963{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6485-5FCE-0000-00103BB30E00}7068C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008575Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:22.916{B364217D-6492-5FCE-0000-0010ED3F0F00}56164964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008574Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:22.901{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6492-5FCE-0000-001089440F00}7040C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008573Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:22.885{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6492-5FCE-0000-001089440F00}7040C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008572Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:22.885{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6492-5FCE-0000-001089440F00}7040C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008571Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:21:22.823{B364217D-6492-5FCE-0000-00108E3F0F00}7032C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1b78-0\System.Runtime.WindowsRuntime.UI.Xaml.dll2020-12-07 17:21:22.823 10341000x80000000000000008570Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:22.760{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6492-5FCE-0000-00108E3F0F00}7032C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008569Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:22.760{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-6492-5FCE-0000-0010ED3F0F00}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008568Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:22.760{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008567Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:22.760{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008566Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:22.760{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008565Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:22.760{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008564Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:22.760{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6492-5FCE-0000-0010ED3F0F00}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008563Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:22.760{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-6492-5FCE-0000-0010ED3F0F00}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000008562Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:22.761{B364217D-6492-5FCE-0000-0010ED3F0F00}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000008561Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:22.744{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6492-5FCE-0000-00108E3F0F00}7032C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008560Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:22.744{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6492-5FCE-0000-00108E3F0F00}7032C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008559Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:22.713{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6492-5FCE-0000-0010523C0F00}1264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008558Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:22.713{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6492-5FCE-0000-0010523C0F00}1264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008557Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:22.713{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6492-5FCE-0000-0010523C0F00}1264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008556Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:21:22.635{B364217D-6492-5FCE-0000-001071360F00}1912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\778-0\System.Runtime.WindowsRuntime.dll2020-12-07 17:21:22.635 10341000x80000000000000008555Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:22.244{B364217D-6492-5FCE-0000-0010E8390F00}60446944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008554Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:22.088{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-646F-5FCE-0000-0010AAAB0C00}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008553Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:22.088{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008552Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:22.088{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008551Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:22.088{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008550Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:22.088{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008549Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:22.088{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-646F-5FCE-0000-0010AAAB0C00}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008548Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:22.088{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-646F-5FCE-0000-0010AAAB0C00}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000008547Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:22.089{B364217D-6492-5FCE-0000-0010E8390F00}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000008546Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:22.010{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6492-5FCE-0000-001071360F00}1912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008545Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:21.994{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6457-5FCE-0000-0010D6090800}1912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008544Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:21.994{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6457-5FCE-0000-0010D6090800}1912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008586Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:23.963{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-6493-5FCE-0000-0010FE4D0F00}1372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008585Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:23.963{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008584Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:23.963{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008583Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:23.963{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008582Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:23.963{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008581Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:23.963{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6493-5FCE-0000-0010FE4D0F00}1372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008580Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:23.963{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-6493-5FCE-0000-0010FE4D0F00}1372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000008579Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:23.964{B364217D-6493-5FCE-0000-0010FE4D0F00}1372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000008593Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:25.744{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6495-5FCE-0000-001057560F00}7004C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008592Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:25.744{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6495-5FCE-0000-001057560F00}7004C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008591Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:25.744{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6495-5FCE-0000-001057560F00}7004C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008590Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:25.307{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6495-5FCE-0000-001000510F00}4620C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008589Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:25.291{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6495-5FCE-0000-001000510F00}4620C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008588Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:25.291{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6495-5FCE-0000-001000510F00}4620C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008587Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:21:25.197{B364217D-6492-5FCE-0000-00109A480F00}7068C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1b9c-0\System.Runtime.Serialization.dll2020-12-07 17:21:25.197 10341000x80000000000000008594Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:30.260{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008595Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:31.479{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008599Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:33.010{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008598Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:33.010{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008597Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:33.010{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008596Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:33.010{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008602Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:36.791{B364217D-6461-5FCE-0000-0010058A0900}18204308C:\Windows\System32\RuntimeBroker.exe{B364217D-6461-5FCE-0000-0010AF940900}4520C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\TokenBroker.dll+1acfa|C:\Windows\System32\TokenBroker.dll+1d475|C:\Windows\System32\TokenBroker.dll+1d7f9|C:\Windows\System32\TokenBroker.dll+1e8f3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+5086c|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x80000000000000008601Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:36.791{B364217D-6461-5FCE-0000-0010058A0900}18204308C:\Windows\System32\RuntimeBroker.exe{B364217D-6461-5FCE-0000-0010AF940900}4520C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\TokenBroker.dll+21886|C:\Windows\System32\TokenBroker.dll+1ac23|C:\Windows\System32\TokenBroker.dll+1d475|C:\Windows\System32\TokenBroker.dll+1d7f9|C:\Windows\System32\TokenBroker.dll+1e8f3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+5086c|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000008600Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:36.775{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008603Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:21:40.932{B364217D-6495-5FCE-0000-001057560F00}7004C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1b5c-0\System.ServiceModel.dll2020-12-07 17:21:40.932 10341000x80000000000000008630Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:41.525{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008629Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:41.510{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64A5-5FCE-0000-001006CE0F00}7156C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008628Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:41.510{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64A5-5FCE-0000-001006CE0F00}7156C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008627Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:41.510{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64A5-5FCE-0000-001006CE0F00}7156C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008626Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:41.494{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008625Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:41.494{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008624Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:41.478{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008623Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:41.478{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008622Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:41.463{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008621Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:41.463{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008620Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:41.447{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008619Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:41.447{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008618Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:41.447{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008617Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:41.306{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64A5-5FCE-0000-00101EC50F00}6848C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008616Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:41.306{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64A5-5FCE-0000-00101EC50F00}6848C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008615Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:41.306{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64A5-5FCE-0000-00101EC50F00}6848C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008614Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:41.182{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008613Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:41.182{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008612Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:41.182{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008611Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:41.166{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008610Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:41.166{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008609Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:41.166{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008608Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:41.166{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008607Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:41.166{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008606Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:41.150{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008605Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:41.150{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008604Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:41.150{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008717Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.994{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008716Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.994{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008715Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.994{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008714Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.978{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008713Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.978{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008712Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.978{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008711Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.978{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008710Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.978{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008709Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.963{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008708Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.963{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008707Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.963{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008706Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.963{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008705Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.963{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008704Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.963{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008703Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.947{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008702Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.947{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008701Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.947{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008700Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.947{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008699Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.947{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008698Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.931{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008697Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.931{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008696Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.916{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008695Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.916{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008694Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.916{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008693Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.916{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008692Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.900{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008691Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.900{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008690Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.900{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008689Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.885{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008688Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.885{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008687Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.885{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008686Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.869{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008685Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.869{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008684Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.853{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008683Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.853{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008682Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.853{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008681Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.822{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008680Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.822{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008679Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.806{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008678Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.806{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008677Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.806{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008676Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.791{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008675Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.791{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008674Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.791{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008673Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.791{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008672Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.791{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008671Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.775{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008670Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.775{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008669Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.775{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008668Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.775{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008667Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.775{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008666Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.760{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008665Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.760{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008664Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.760{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008663Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.760{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008662Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.744{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008661Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.744{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008660Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.744{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008659Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.744{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008658Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.728{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008657Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.728{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008656Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.728{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008655Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.713{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008654Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.713{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008653Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.713{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008652Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.713{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008651Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.697{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008650Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.697{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008649Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.681{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008648Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.681{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008647Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.666{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008646Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.666{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008645Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.666{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008644Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.650{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008643Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.650{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008642Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.635{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008641Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.635{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008640Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.635{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008639Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.635{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008638Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.635{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008637Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.619{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008636Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.619{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008635Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.619{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008634Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.619{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008633Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.619{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008632Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.603{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008631Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.572{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008906Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.697{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008905Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.697{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008904Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.697{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008903Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.681{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008902Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.681{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008901Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.681{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008900Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.681{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008899Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.681{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008898Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.666{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008897Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.666{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008896Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.666{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008895Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.666{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008894Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.650{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008893Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.650{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008892Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.650{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008891Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.650{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008890Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.650{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008889Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.650{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008888Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.650{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008887Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.635{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008886Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.635{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008885Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.635{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008884Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.635{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008883Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.635{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008882Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.635{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008881Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.619{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008880Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.619{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008879Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.619{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008878Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.619{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008877Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.603{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008876Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.603{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008875Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.588{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008874Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.588{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008873Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.572{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008872Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.572{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008871Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.572{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008870Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.572{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008869Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.572{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008868Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.556{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008867Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.556{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008866Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.556{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008865Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.541{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008864Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.541{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008863Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.541{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008862Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.541{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008861Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.541{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008860Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.541{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008859Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.525{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008858Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.525{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008857Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.525{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008856Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.525{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008855Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.525{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008854Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.525{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008853Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.510{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008852Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.510{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008851Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.510{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008850Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.494{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008849Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.494{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008848Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.494{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008847Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.494{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008846Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.494{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008845Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.494{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008844Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.478{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008843Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.478{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008842Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.478{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008841Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.463{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008840Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.463{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008839Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.463{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008838Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.463{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008837Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.463{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008836Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.447{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008835Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.431{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008834Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.431{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008833Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.431{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008832Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.416{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008831Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.416{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008830Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.400{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008829Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.400{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008828Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.400{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008827Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.400{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008826Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.400{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008825Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.400{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008824Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.385{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008823Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.385{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008822Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.385{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008821Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.385{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008820Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.385{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008819Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.385{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008818Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.369{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008817Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.369{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008816Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.369{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008815Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.369{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008814Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.369{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008813Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.369{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008812Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.353{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008811Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.353{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008810Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.353{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008809Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.353{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008808Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.353{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008807Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.353{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008806Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.338{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008805Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.338{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008804Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.338{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008803Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.338{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008802Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.338{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008801Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.322{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008800Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.322{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008799Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.322{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008798Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.322{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008797Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.306{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008796Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.306{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008795Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.306{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008794Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.306{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008793Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.306{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008792Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.306{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008791Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.291{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008790Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.291{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008789Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.291{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008788Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.291{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008787Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.291{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008786Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.291{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008785Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.275{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008784Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.275{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008783Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.275{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008782Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.260{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008781Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.260{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008780Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.260{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008779Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.244{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008778Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.228{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008777Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.228{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008776Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.228{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008775Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.228{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008774Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.228{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008773Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.228{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008772Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.228{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008771Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.213{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008770Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.213{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008769Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.213{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008768Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.213{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008767Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.213{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008766Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.213{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008765Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.197{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008764Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.197{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008763Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.197{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008762Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.197{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008761Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.197{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008760Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.181{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008759Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.181{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008758Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.181{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008757Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.166{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008756Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.166{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008755Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.150{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008754Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.150{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008753Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.150{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008752Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.135{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008751Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.135{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008750Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.119{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008749Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.119{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008748Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.119{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008747Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.119{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008746Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.119{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008745Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.103{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008744Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.103{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008743Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.103{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008742Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.088{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008741Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.088{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008740Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.088{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008739Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.088{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008738Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.088{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008737Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.088{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008736Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.072{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008735Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.072{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008734Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.072{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008733Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.072{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008732Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.072{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008731Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.072{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008730Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.056{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008729Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.056{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008728Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.056{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008727Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.041{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008726Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.041{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008725Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.041{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008724Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.041{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008723Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.041{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008722Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.025{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008721Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.025{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008720Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.025{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008719Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:43.010{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000008718Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:42.994{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000009053Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.869{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009052Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.869{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009051Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.869{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009050Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.869{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009049Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.869{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009048Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.869{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009047Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.869{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009046Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.869{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009045Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.869{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009044Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.869{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009043Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.869{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009042Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.869{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009041Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.853{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009040Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.853{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009039Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.853{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009038Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.853{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009037Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.853{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009036Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.853{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009035Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.853{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009034Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.853{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009033Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.853{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009032Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.853{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009031Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.853{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009030Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.853{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009029Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.853{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009028Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.853{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009027Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.853{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009026Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.853{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009025Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.853{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009024Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.853{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009023Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.838{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009022Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.838{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009021Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.838{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009020Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.838{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009019Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.838{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009018Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.838{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009017Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.838{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000009016Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.838{B364217D-6460-5FCE-0000-0010A62A0900}43404320C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{B364217D-6460-5FCE-0000-00103A280900}3556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000009015Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.822{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009014Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.822{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009013Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.822{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009012Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.822{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009011Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.822{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009010Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.822{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009009Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.822{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009008Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.822{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009007Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.822{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009006Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.822{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009005Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.822{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009004Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.822{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009003Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.822{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009002Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.822{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009001Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.822{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009000Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.822{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008999Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.806{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008998Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.806{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008997Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.806{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008996Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.806{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008995Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.806{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008994Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.806{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008993Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.806{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008992Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.806{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008991Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.681{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008990Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.681{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008989Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.681{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008988Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.681{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008987Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.681{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008986Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.681{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008985Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.681{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008984Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.681{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008983Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.681{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008982Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.681{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008981Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.681{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008980Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.681{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008979Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.666{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008978Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.666{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008977Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.666{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008976Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.666{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008975Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.666{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008974Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.666{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008973Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.666{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008972Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.666{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008971Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.666{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008970Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.666{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008969Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.666{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008968Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.666{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008967Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.666{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008966Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.666{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008965Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.666{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008964Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.666{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008963Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.666{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008962Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.666{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008961Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.650{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008960Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.650{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008959Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.650{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008958Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.650{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008957Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.650{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008956Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.650{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008955Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.650{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008954Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.650{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008953Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.650{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008952Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.650{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008951Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.650{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008950Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.650{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008949Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.635{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008948Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.635{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008947Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.635{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008946Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.635{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008945Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.635{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008944Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.635{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008943Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.635{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008942Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.635{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008941Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.635{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008940Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.635{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008939Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.635{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008938Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.635{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008937Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.619{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008936Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.619{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008935Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.619{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008934Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.619{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008933Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.619{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008932Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.619{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008931Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.619{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008930Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.619{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008929Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.619{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008928Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.619{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008927Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.619{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008926Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.619{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008925Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.619{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008924Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.619{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008923Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.619{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008922Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.619{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008921Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.619{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008920Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.619{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008919Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.603{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008918Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.603{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008917Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.603{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008916Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.603{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008915Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.603{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008914Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.603{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-645F-5FCE-0000-0010039E0800}5004C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008913Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.494{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008912Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.494{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008911Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.494{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008910Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.494{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008909Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.494{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008908Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.494{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008907Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:44.494{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009054Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:45.431{B364217D-61FE-5FCE-0000-001028D10000}13321452C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x100040C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+63c9|c:\windows\system32\cryptsvc.dll+62d1|c:\windows\system32\cryptsvc.dll+5e56|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009065Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:46.619{B364217D-61FE-5FCE-0000-00102EBA0000}11361232C:\Windows\system32\svchost.exe{B364217D-64AA-5FCE-0000-00100EB51000}6532C:\Windows\SysWOW64\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009064Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:46.619{B364217D-61FE-5FCE-0000-00102EBA0000}11361624C:\Windows\system32\svchost.exe{B364217D-64AA-5FCE-0000-00100EB51000}6532C:\Windows\SysWOW64\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009063Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:46.603{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64AA-5FCE-0000-00100EB51000}6532C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009062Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:46.588{B364217D-645F-5FCE-0000-0010EA600800}42163324C:\Windows\system32\csrss.exe{B364217D-64AA-5FCE-0000-00100EB51000}6532C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009061Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:46.588{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009060Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:46.588{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009059Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:46.588{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009058Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:46.588{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009057Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:46.588{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64AA-5FCE-0000-00100EB51000}6532C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009056Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:46.588{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64AA-5FCE-0000-00100EB51000}6532C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009055Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:46.598{B364217D-64AA-5FCE-0000-00100EB51000}6532C:\Windows\SysWOW64\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}C:\Windows\system32\ATTACKRANGE\Administrator{B364217D-6460-5FCE-0000-0020BD420900}0x942bd2HighMD5=6046950FC9CA5B7A7E084C189658DACB,SHA256=5137C324038AB2E8EAB4F98A20BEE9F121346D62E4D907CA1E4A860F4C54EAE8,IMPHASH=EC90A0D780E0DD23BA7910ABD6BF7E32{B364217D-61FE-5FCE-0000-0010E0650000}604C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 13241300x80000000000000009066Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:21:49.072{B364217D-61FE-5FCE-0000-001037C40000}1204C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6ccbd-0x723145ff) 11241100x80000000000000009067Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:21:51.822{B364217D-64A5-5FCE-0000-001006CE0F00}7156C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1bf4-0\PresentationCore.dll2020-12-07 17:21:51.822 10341000x80000000000000009073Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:52.431{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64B0-5FCE-0000-00102DEE1000}6956C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009072Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:52.416{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64B0-5FCE-0000-00102DEE1000}6956C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009071Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:52.416{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64B0-5FCE-0000-00102DEE1000}6956C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009070Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:52.056{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64B0-5FCE-0000-001045E91000}6232C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009069Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:52.041{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64B0-5FCE-0000-001045E91000}6232C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009068Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:52.041{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64B0-5FCE-0000-001045E91000}6232C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009075Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:56.103{B364217D-6461-5FCE-0000-0010058A0900}18205444C:\Windows\System32\RuntimeBroker.exe{B364217D-6461-5FCE-0000-0010AF940900}4520C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\TokenBroker.dll+1acfa|C:\Windows\System32\TokenBroker.dll+1d475|C:\Windows\System32\TokenBroker.dll+1d7f9|C:\Windows\System32\TokenBroker.dll+1e8f3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+5086c|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x80000000000000009074Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:21:56.103{B364217D-6461-5FCE-0000-0010058A0900}18205444C:\Windows\System32\RuntimeBroker.exe{B364217D-6461-5FCE-0000-0010AF940900}4520C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\TokenBroker.dll+21886|C:\Windows\System32\TokenBroker.dll+1ac23|C:\Windows\System32\TokenBroker.dll+1d475|C:\Windows\System32\TokenBroker.dll+1d7f9|C:\Windows\System32\TokenBroker.dll+1e8f3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+5086c|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000009079Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:07.993{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64BF-5FCE-0000-00103E211100}5412C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009078Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:07.978{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64BF-5FCE-0000-00103E211100}5412C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009077Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:07.978{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64BF-5FCE-0000-00103E211100}5412C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009076Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:07.650{B364217D-64B0-5FCE-0000-00102DEE1000}6956C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1b2c-0\PresentationFramework.dll2020-12-07 17:22:07.650 10341000x80000000000000009089Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:08.665{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C0-5FCE-0000-0010032E1100}6768C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009088Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:08.665{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64C0-5FCE-0000-0010032E1100}6768C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009087Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:08.665{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C0-5FCE-0000-0010032E1100}6768C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009086Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:08.587{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C0-5FCE-0000-0010F7291100}5616C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009085Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:08.572{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6492-5FCE-0000-0010ED3F0F00}5616C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009084Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:08.572{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6492-5FCE-0000-0010ED3F0F00}5616C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009083Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:08.525{B364217D-64C0-5FCE-0000-0010EC241100}3460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\d84-0\PresentationFramework.Aero2.dll2020-12-07 17:22:08.509 10341000x80000000000000009082Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:08.072{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C0-5FCE-0000-0010EC241100}3460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009081Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:08.072{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64C0-5FCE-0000-0010EC241100}3460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009080Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:08.072{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C0-5FCE-0000-0010EC241100}3460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009096Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:11.353{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C3-5FCE-0000-0010B0381100}6684C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009095Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:11.337{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64C3-5FCE-0000-0010B0381100}6684C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009094Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:11.337{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C3-5FCE-0000-0010B0381100}6684C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009093Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:11.306{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C3-5FCE-0000-001039351100}5484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009092Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:11.290{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64C3-5FCE-0000-001039351100}5484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009091Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:11.290{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C3-5FCE-0000-001039351100}5484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009090Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:11.228{B364217D-64C0-5FCE-0000-0010032E1100}6768C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1a70-0\Microsoft.ActiveDirectory.Management.dll2020-12-07 17:22:11.228 10341000x80000000000000009117Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:12.868{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C4-5FCE-0000-0010544E1100}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009116Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:12.868{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64C4-5FCE-0000-0010544E1100}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009115Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:12.868{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C4-5FCE-0000-0010544E1100}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009114Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:12.837{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C4-5FCE-0000-0010DB4A1100}2336C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009113Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:12.821{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64C4-5FCE-0000-0010DB4A1100}2336C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009112Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:12.821{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C4-5FCE-0000-0010DB4A1100}2336C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009111Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:12.806{B364217D-64C4-5FCE-0000-001080471100}2512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\9d0-0\Microsoft.GroupPolicy.Management.Interop.dll2020-12-07 17:22:12.806 10341000x80000000000000009110Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:12.681{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C4-5FCE-0000-001080471100}2512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009109Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:12.665{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-648B-5FCE-0000-001040100F00}2512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009108Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:12.665{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-648B-5FCE-0000-001040100F00}2512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009107Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:12.571{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6495-5FCE-0000-001000510F00}4620C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009106Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:12.571{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6495-5FCE-0000-001000510F00}4620C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009105Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:12.571{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6495-5FCE-0000-001000510F00}4620C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009104Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:12.556{B364217D-64C4-5FCE-0000-00105C401100}7068C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1b9c-0\Microsoft.GroupPolicy.ServerAdminTools.GPOAdminGrid.dll2020-12-07 17:22:12.556 10341000x80000000000000009103Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:12.478{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6492-5FCE-0000-00109A480F00}7068C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009102Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:12.478{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6492-5FCE-0000-00109A480F00}7068C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009101Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:12.478{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6492-5FCE-0000-00109A480F00}7068C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009100Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:12.431{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C4-5FCE-0000-0010C93C1100}6724C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009099Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:12.431{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64C4-5FCE-0000-0010C93C1100}6724C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009098Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:12.431{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C4-5FCE-0000-0010C93C1100}6724C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009097Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:12.384{B364217D-64C3-5FCE-0000-0010B0381100}6684C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1a1c-0\Microsoft.GroupPolicy.Targeting.dll2020-12-07 17:22:12.384 11241100x80000000000000009150Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:13.993{B364217D-64C5-5FCE-0000-0010366D1100}7088C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1bb0-0\Microsoft.GroupPolicy.Commands.dll2020-12-07 17:22:13.993 10341000x80000000000000009149Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:13.806{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C5-5FCE-0000-0010366D1100}7088C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009148Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:13.790{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64C5-5FCE-0000-0010366D1100}7088C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009147Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:13.790{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C5-5FCE-0000-0010366D1100}7088C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009146Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:13.775{B364217D-64C5-5FCE-0000-001052691100}7080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1ba8-0\Microsoft.GroupPolicy.Commands.dll2020-12-07 17:22:13.775 10341000x80000000000000009145Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:13.587{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C5-5FCE-0000-001052691100}7080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009144Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:13.571{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64C5-5FCE-0000-001052691100}7080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009143Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:13.571{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C5-5FCE-0000-001052691100}7080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009142Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:13.540{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C5-5FCE-0000-0010B1651100}7120C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009141Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:13.525{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64C5-5FCE-0000-0010B1651100}7120C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009140Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:13.525{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C5-5FCE-0000-0010B1651100}7120C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009139Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:13.509{B364217D-64C5-5FCE-0000-00100F621100}5600C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\15e0-0\Microsoft.GroupPolicy.Targeting.Interop.dll2020-12-07 17:22:13.509 10341000x80000000000000009138Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:13.415{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C5-5FCE-0000-00100F621100}5600C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009137Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:13.415{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64C5-5FCE-0000-00100F621100}5600C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009136Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:13.415{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C5-5FCE-0000-00100F621100}5600C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009135Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:13.384{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C5-5FCE-0000-0010955E1100}6992C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009134Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:13.368{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64C5-5FCE-0000-0010955E1100}6992C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009133Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:13.368{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C5-5FCE-0000-0010955E1100}6992C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009132Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:13.353{B364217D-64C5-5FCE-0000-0010375B1100}5744C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1670-0\Microsoft.GroupPolicy.ServerAdminTools.Private.GpmgmtpLib.dll2020-12-07 17:22:13.353 10341000x80000000000000009131Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:13.275{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C5-5FCE-0000-0010375B1100}5744C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009130Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:13.275{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64C5-5FCE-0000-0010375B1100}5744C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009129Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:13.275{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C5-5FCE-0000-0010375B1100}5744C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009128Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:13.259{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C5-5FCE-0000-001040581100}5508C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009127Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:13.243{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64C5-5FCE-0000-001040581100}5508C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009126Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:13.243{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C5-5FCE-0000-001040581100}5508C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009125Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:13.228{B364217D-64C5-5FCE-0000-001009551100}5700C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1644-0\Microsoft.GroupPolicy.ServerAdminTools.GpmgmtLib.dll2020-12-07 17:22:13.228 10341000x80000000000000009124Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:13.103{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C5-5FCE-0000-001009551100}5700C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009123Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:13.087{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64C5-5FCE-0000-001009551100}5700C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009122Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:13.087{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C5-5FCE-0000-001009551100}5700C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009121Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:13.071{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C5-5FCE-0000-00100C521100}5200C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009120Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:13.071{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64C5-5FCE-0000-00100C521100}5200C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009119Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:13.071{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C5-5FCE-0000-00100C521100}5200C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009118Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:13.040{B364217D-64C4-5FCE-0000-0010544E1100}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1308-0\Microsoft.GroupPolicy.Management.dll2020-12-07 17:22:13.040 10341000x80000000000000009198Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:14.946{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C6-5FCE-0000-0010ABA01100}2372C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009197Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:14.946{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64C6-5FCE-0000-0010ABA01100}2372C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009196Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:14.946{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C6-5FCE-0000-0010ABA01100}2372C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009195Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:14.900{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C6-5FCE-0000-00107C9D1100}2384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009194Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:14.900{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64C6-5FCE-0000-00107C9D1100}2384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009193Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:14.900{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C6-5FCE-0000-00107C9D1100}2384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009192Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:14.837{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C6-5FCE-0000-00102B9A1100}5228C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009191Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:14.837{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64C6-5FCE-0000-00102B9A1100}5228C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009190Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:14.837{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C6-5FCE-0000-00102B9A1100}5228C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009189Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:14.728{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C6-5FCE-0000-00108F961100}4684C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009188Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:14.728{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64C6-5FCE-0000-00108F961100}4684C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009187Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:14.728{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C6-5FCE-0000-00108F961100}4684C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009186Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:14.665{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C6-5FCE-0000-00107A921100}648C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009185Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:14.665{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64C6-5FCE-0000-00107A921100}648C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009184Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:14.665{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C6-5FCE-0000-00107A921100}648C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009183Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:14.634{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C6-5FCE-0000-0010048F1100}4488C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009182Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:14.634{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64C6-5FCE-0000-0010048F1100}4488C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009181Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:14.634{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C6-5FCE-0000-0010048F1100}4488C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009180Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:14.603{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C6-5FCE-0000-0010878B1100}5748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009179Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:14.587{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64C6-5FCE-0000-0010878B1100}5748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009178Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:14.587{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C6-5FCE-0000-0010878B1100}5748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009177Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:14.431{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C6-5FCE-0000-0010BB871100}6580C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009176Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:14.415{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64C6-5FCE-0000-0010BB871100}6580C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009175Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:14.415{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C6-5FCE-0000-0010BB871100}6580C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009174Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:14.400{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C6-5FCE-0000-0010BE841100}6264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009173Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:14.384{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64C6-5FCE-0000-0010BE841100}6264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009172Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:14.384{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C6-5FCE-0000-0010BE841100}6264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009171Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:14.384{B364217D-64C6-5FCE-0000-00105B811100}6232C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1858-0\Microsoft.ActiveDirectory.TRLParserInterop.dll2020-12-07 17:22:14.384 10341000x80000000000000009170Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:14.353{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C6-5FCE-0000-00105B811100}6232C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009169Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:14.337{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64B0-5FCE-0000-001045E91000}6232C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009168Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:14.337{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64B0-5FCE-0000-001045E91000}6232C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009167Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:14.306{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C6-5FCE-0000-0010E47D1100}6644C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009166Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:14.306{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64C6-5FCE-0000-0010E47D1100}6644C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009165Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:14.306{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C6-5FCE-0000-0010E47D1100}6644C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009164Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:14.290{B364217D-64C6-5FCE-0000-0010B17A1100}6396C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\18fc-0\TRLParserCOMInterface.dll2020-12-07 17:22:14.290 10341000x80000000000000009163Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:14.275{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C6-5FCE-0000-0010B17A1100}6396C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009162Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:14.259{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64C6-5FCE-0000-0010B17A1100}6396C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009161Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:14.259{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C6-5FCE-0000-0010B17A1100}6396C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009160Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:14.243{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C6-5FCE-0000-0010BA771100}5860C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009159Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:14.228{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64C6-5FCE-0000-0010BA771100}5860C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009158Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:14.228{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C6-5FCE-0000-0010BA771100}5860C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009157Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:14.212{B364217D-64C6-5FCE-0000-00104D741100}6216C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1848-0\Microsoft.ActiveDirectory.TRLParser.dll2020-12-07 17:22:14.212 10341000x80000000000000009156Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:14.040{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C6-5FCE-0000-00104D741100}6216C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009155Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:14.040{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64C6-5FCE-0000-00104D741100}6216C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009154Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:14.040{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C6-5FCE-0000-00104D741100}6216C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009153Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:14.009{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C6-5FCE-0000-00100D711100}6536C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009152Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:13.993{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64C6-5FCE-0000-00100D711100}6536C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009151Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:13.993{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C6-5FCE-0000-00100D711100}6536C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009226Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:15.946{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C7-5FCE-0000-001054C21100}5644C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009225Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:15.931{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64C7-5FCE-0000-001054C21100}5644C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009224Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:15.931{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C7-5FCE-0000-001054C21100}5644C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009223Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:15.837{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C7-5FCE-0000-001087BE1100}1168C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009222Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:15.821{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64C7-5FCE-0000-001087BE1100}1168C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009221Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:15.821{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C7-5FCE-0000-001087BE1100}1168C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009220Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:15.790{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C7-5FCE-0000-001011BB1100}3836C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009219Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:15.790{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64C7-5FCE-0000-001011BB1100}3836C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009218Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:15.790{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C7-5FCE-0000-001011BB1100}3836C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009217Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:15.728{B364217D-64C7-5FCE-0000-0010D0B51100}3340C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\d0c-0\Microsoft.Activities.Build.dll2020-12-07 17:22:15.728 10341000x80000000000000009216Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:15.540{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C7-5FCE-0000-0010D0B51100}3340C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009215Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:15.540{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64C7-5FCE-0000-0010D0B51100}3340C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009214Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:15.540{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C7-5FCE-0000-0010D0B51100}3340C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009213Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:15.337{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C7-5FCE-0000-0010B2B11100}5684C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009212Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:15.321{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64C7-5FCE-0000-0010B2B11100}5684C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009211Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:15.321{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C7-5FCE-0000-0010B2B11100}5684C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009210Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:15.306{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C7-5FCE-0000-001090AE1100}6852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009209Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:15.290{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-648B-5FCE-0000-001080080F00}6852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009208Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:15.290{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-648B-5FCE-0000-001080080F00}6852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009207Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:15.275{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C7-5FCE-0000-00107CAB1100}6776C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009206Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:15.259{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64C7-5FCE-0000-00107CAB1100}6776C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009205Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:15.259{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C7-5FCE-0000-00107CAB1100}6776C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009204Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:15.103{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-648B-5FCE-0000-001013050F00}6760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009203Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:15.103{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-648B-5FCE-0000-001013050F00}6760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009202Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:15.103{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-648B-5FCE-0000-001013050F00}6760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009201Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:15.087{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C7-5FCE-0000-001057A41100}5916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009200Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:15.071{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64C7-5FCE-0000-001057A41100}5916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009199Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:15.071{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C7-5FCE-0000-001057A41100}5916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009232Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:16.353{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C8-5FCE-0000-0010E0C91100}5280C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009231Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:16.353{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64C8-5FCE-0000-0010E0C91100}5280C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009230Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:16.353{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C8-5FCE-0000-0010E0C91100}5280C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009229Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:16.118{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C8-5FCE-0000-00100FC61100}7148C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009228Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:16.103{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64C8-5FCE-0000-00100FC61100}7148C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009227Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:16.103{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C8-5FCE-0000-00100FC61100}7148C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009240Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:18.712{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-64CA-5FCE-0000-001087CE1100}6800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009239Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:18.712{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009238Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:18.712{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009237Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:18.712{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009236Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:18.712{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009235Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:18.712{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64CA-5FCE-0000-001087CE1100}6800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009234Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:18.712{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-64CA-5FCE-0000-001087CE1100}6800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009233Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:18.713{B364217D-64CA-5FCE-0000-001087CE1100}6800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009257Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:19.884{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-64CB-5FCE-0000-00102DD21100}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009256Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:19.884{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009255Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:19.884{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009254Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:19.884{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009253Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:19.884{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009252Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:19.884{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64CB-5FCE-0000-00102DD21100}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009251Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:19.884{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-64CB-5FCE-0000-00102DD21100}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009250Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:19.885{B364217D-64CB-5FCE-0000-00102DD21100}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009249Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:19.524{B364217D-64CB-5FCE-0000-001036D01100}69927132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009248Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:19.384{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-64C5-5FCE-0000-0010955E1100}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009247Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:19.384{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009246Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:19.384{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009245Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:19.384{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009244Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:19.384{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009243Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:19.384{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64C5-5FCE-0000-0010955E1100}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009242Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:19.384{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-64C5-5FCE-0000-0010955E1100}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009241Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:19.385{B364217D-64CB-5FCE-0000-001036D01100}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009271Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:20.962{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64CC-5FCE-0000-00101EDF1100}6196C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009270Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:20.946{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64CC-5FCE-0000-00101EDF1100}6196C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009269Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:20.946{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64CC-5FCE-0000-00101EDF1100}6196C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009268Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:20.899{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64CC-5FCE-0000-0010DEDB1100}7092C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009267Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:20.884{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64CC-5FCE-0000-0010DEDB1100}7092C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009266Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:20.884{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64CC-5FCE-0000-0010DEDB1100}7092C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009265Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:20.837{B364217D-64CC-5FCE-0000-0010E6D71100}6888C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1ae8-0\Microsoft.Build.Conversion.v4.0.dll2020-12-07 17:22:20.837 10341000x80000000000000009264Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:20.634{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64CC-5FCE-0000-0010E6D71100}6888C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009263Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:20.618{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64CC-5FCE-0000-0010E6D71100}6888C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009262Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:20.618{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64CC-5FCE-0000-0010E6D71100}6888C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009261Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:20.478{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64CC-5FCE-0000-00104ED41100}7096C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009260Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:20.462{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64CC-5FCE-0000-00104ED41100}7096C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009259Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:20.462{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64CC-5FCE-0000-00104ED41100}7096C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009258Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:20.337{B364217D-64C8-5FCE-0000-0010E0C91100}5280C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\14a0-0\Microsoft.Build.dll2020-12-07 17:22:20.337 10341000x80000000000000009280Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:21.353{B364217D-64CD-5FCE-0000-001057E21100}63446216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009279Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:21.212{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-64CD-5FCE-0000-001057E21100}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009278Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:21.212{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009277Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:21.212{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009276Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:21.212{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009275Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:21.212{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009274Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:21.212{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64CD-5FCE-0000-001057E21100}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009273Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:21.212{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-64CD-5FCE-0000-001057E21100}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009272Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:21.213{B364217D-64CD-5FCE-0000-001057E21100}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009312Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:22.915{B364217D-64CE-5FCE-0000-00102DF01100}70846892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009311Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:22.899{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64CE-5FCE-0000-001072F21100}6088C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009310Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:22.884{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64CE-5FCE-0000-001072F21100}6088C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009309Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:22.884{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64CE-5FCE-0000-001072F21100}6088C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009308Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:22.759{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-64CE-5FCE-0000-00102DF01100}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009307Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:22.759{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009306Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:22.759{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009305Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:22.759{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009304Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:22.759{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009303Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:22.759{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64CE-5FCE-0000-00102DF01100}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009302Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:22.759{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-64CE-5FCE-0000-00102DF01100}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009301Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:22.760{B364217D-64CE-5FCE-0000-00102DF01100}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009300Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:22.712{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64CE-5FCE-0000-001039ED1100}3204C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009299Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:22.712{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64CE-5FCE-0000-001039ED1100}3204C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009298Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:22.712{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64CE-5FCE-0000-001039ED1100}3204C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009297Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:22.649{B364217D-64CE-5FCE-0000-0010C1E91100}6244C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1864-0\Microsoft.Build.Framework.dll2020-12-07 17:22:22.649 10341000x80000000000000009296Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:22.353{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64CE-5FCE-0000-0010C1E91100}6244C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009295Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:22.353{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64CE-5FCE-0000-0010C1E91100}6244C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009294Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:22.353{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64CE-5FCE-0000-0010C1E91100}6244C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009293Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:22.321{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64CE-5FCE-0000-001072E61100}7108C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009292Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:22.306{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64CE-5FCE-0000-001072E61100}7108C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009291Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:22.306{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64CE-5FCE-0000-001072E61100}7108C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009290Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:22.243{B364217D-64CE-5FCE-0000-00106CE41100}63645560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009289Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:22.227{B364217D-64CC-5FCE-0000-00101EDF1100}6196C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1834-0\Microsoft.Build.Engine.dll2020-12-07 17:22:22.227 10341000x80000000000000009288Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:22.087{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-64CE-5FCE-0000-00106CE41100}6364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009287Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:22.087{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009286Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:22.087{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009285Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:22.087{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009284Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:22.087{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009283Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:22.087{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64CE-5FCE-0000-00106CE41100}6364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009282Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:22.087{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-64CE-5FCE-0000-00106CE41100}6364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009281Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:22.088{B364217D-64CE-5FCE-0000-00106CE41100}6364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009320Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:23.962{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-64CF-5FCE-0000-0010F7F61100}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009319Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:23.962{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009318Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:23.962{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009317Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:23.962{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009316Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:23.962{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009315Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:23.962{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64CF-5FCE-0000-0010F7F61100}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009314Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:23.962{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-64CF-5FCE-0000-0010F7F61100}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009313Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:23.963{B364217D-64CF-5FCE-0000-0010F7F61100}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009327Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:25.587{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D1-5FCE-0000-001091FD1100}7032C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009326Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:25.587{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64D1-5FCE-0000-001091FD1100}7032C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009325Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:25.587{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D1-5FCE-0000-001091FD1100}7032C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009324Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:25.462{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D1-5FCE-0000-001018FA1100}6952C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009323Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:25.446{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64D1-5FCE-0000-001018FA1100}6952C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009322Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:25.446{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D1-5FCE-0000-001018FA1100}6952C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009321Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:25.352{B364217D-64CE-5FCE-0000-001072F21100}6088C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\17c8-0\Microsoft.Build.Tasks.v4.0.dll2020-12-07 17:22:25.352 10341000x80000000000000009349Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:26.852{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D2-5FCE-0000-00102E171200}6780C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009348Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:26.852{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64D2-5FCE-0000-00102E171200}6780C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009347Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:26.852{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D2-5FCE-0000-00102E171200}6780C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009346Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:26.712{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D2-5FCE-0000-00109F131200}5384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009345Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:26.712{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64D2-5FCE-0000-00109F131200}5384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009344Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:26.712{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D2-5FCE-0000-00109F131200}5384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009343Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:26.665{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C3-5FCE-0000-001039351100}5484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009342Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:26.665{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64C3-5FCE-0000-001039351100}5484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009341Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:26.665{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C3-5FCE-0000-001039351100}5484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009340Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:26.634{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C0-5FCE-0000-0010032E1100}6768C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009339Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:26.634{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64C0-5FCE-0000-0010032E1100}6768C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009338Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:26.634{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C0-5FCE-0000-0010032E1100}6768C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009337Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:26.399{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D2-5FCE-0000-001073081200}2480C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009336Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:26.384{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64D2-5FCE-0000-001073081200}2480C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009335Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:26.384{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D2-5FCE-0000-001073081200}2480C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009334Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:26.352{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D2-5FCE-0000-0010A2041200}3792C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009333Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:26.337{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64D2-5FCE-0000-0010A2041200}3792C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009332Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:26.337{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D2-5FCE-0000-0010A2041200}3792C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009331Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:26.306{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D2-5FCE-0000-001015011200}7040C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009330Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:26.290{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64D2-5FCE-0000-001015011200}7040C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009329Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:26.290{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D2-5FCE-0000-001015011200}7040C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009328Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:26.227{B364217D-64D1-5FCE-0000-001091FD1100}7032C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1b78-0\Microsoft.Build.Utilities.v4.0.dll2020-12-07 17:22:26.227 10341000x80000000000000009368Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:28.806{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D4-5FCE-0000-0010EB2D1200}5708C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009367Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:28.790{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64D4-5FCE-0000-0010EB2D1200}5708C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009366Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:28.790{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D4-5FCE-0000-0010EB2D1200}5708C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009365Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:28.665{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D4-5FCE-0000-0010752A1200}5636C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009364Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:28.665{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64D4-5FCE-0000-0010752A1200}5636C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009363Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:28.665{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D4-5FCE-0000-0010752A1200}5636C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009362Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:28.431{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D4-5FCE-0000-00101D261200}5212C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009361Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:28.431{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64D4-5FCE-0000-00101D261200}5212C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009360Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:28.431{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D4-5FCE-0000-00101D261200}5212C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009359Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:28.399{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D4-5FCE-0000-0010AC221200}2512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009358Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:28.384{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64C4-5FCE-0000-001080471100}2512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009357Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:28.384{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C4-5FCE-0000-001080471100}2512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009356Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:28.337{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C4-5FCE-0000-001030441100}4620C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009355Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:28.337{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64C4-5FCE-0000-001030441100}4620C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009354Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:28.337{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C4-5FCE-0000-001030441100}4620C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009353Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:28.290{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C4-5FCE-0000-00105C401100}7068C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009352Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:28.290{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64C4-5FCE-0000-00105C401100}7068C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009351Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:28.290{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C4-5FCE-0000-00105C401100}7068C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009350Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:28.227{B364217D-64D2-5FCE-0000-00102E171200}6780C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1a7c-0\Microsoft.CSharp.dll2020-12-07 17:22:28.227 10341000x80000000000000009375Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:29.977{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6495-5FCE-0000-001057560F00}7004C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009374Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:29.977{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6495-5FCE-0000-001057560F00}7004C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009373Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:29.977{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6495-5FCE-0000-001057560F00}7004C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009372Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:29.915{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D5-5FCE-0000-0010F5311200}4108C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009371Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:29.899{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64D5-5FCE-0000-0010F5311200}4108C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009370Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:29.899{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D5-5FCE-0000-0010F5311200}4108C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009369Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:29.837{B364217D-64D4-5FCE-0000-0010EB2D1200}5708C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\164c-0\Microsoft.Internal.Tasks.Dataflow.dll2020-12-07 17:22:29.837 10341000x80000000000000009420Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:30.977{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D6-5FCE-0000-0010616D1200}6960C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009419Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:30.962{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64D6-5FCE-0000-0010616D1200}6960C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009418Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:30.962{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D6-5FCE-0000-0010616D1200}6960C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009417Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:30.915{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D6-5FCE-0000-00101E691200}5160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009416Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:30.899{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64D6-5FCE-0000-00101E691200}5160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009415Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:30.899{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D6-5FCE-0000-00101E691200}5160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009414Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:30.852{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C6-5FCE-0000-0010BB871100}6580C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009413Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:30.852{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64C6-5FCE-0000-0010BB871100}6580C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009412Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:30.852{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C6-5FCE-0000-0010BB871100}6580C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009411Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:30.821{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D6-5FCE-0000-00106F611200}3204C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009410Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:30.805{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64CE-5FCE-0000-001039ED1100}3204C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009409Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:30.805{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64CE-5FCE-0000-001039ED1100}3204C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009408Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:30.759{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D6-5FCE-0000-0010585D1200}2908C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009407Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:30.759{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64D6-5FCE-0000-0010585D1200}2908C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009406Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:30.759{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D6-5FCE-0000-0010585D1200}2908C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009405Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:30.634{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D6-5FCE-0000-0010F2581200}7156C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009404Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:30.618{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64A5-5FCE-0000-001006CE0F00}7156C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009403Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:30.618{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64A5-5FCE-0000-001006CE0F00}7156C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009402Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:30.571{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D6-5FCE-0000-00106F551200}6876C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009401Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:30.571{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64D6-5FCE-0000-00106F551200}6876C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009400Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:30.571{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D6-5FCE-0000-00106F551200}6876C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009399Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:30.446{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D6-5FCE-0000-0010C1511200}6380C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009398Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:30.446{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64D6-5FCE-0000-0010C1511200}6380C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009397Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:30.446{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D6-5FCE-0000-0010C1511200}6380C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009396Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:30.399{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D6-5FCE-0000-0010DB4D1200}6740C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009395Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:30.384{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64D6-5FCE-0000-0010DB4D1200}6740C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009394Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:30.384{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D6-5FCE-0000-0010DB4D1200}6740C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009393Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:30.368{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D6-5FCE-0000-00108D4A1200}6916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009392Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:30.352{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64D6-5FCE-0000-00108D4A1200}6916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009391Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:30.352{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D6-5FCE-0000-00108D4A1200}6916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009390Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:30.321{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D6-5FCE-0000-0010C7461200}6648C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009389Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:30.305{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64D6-5FCE-0000-0010C7461200}6648C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009388Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:30.305{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D6-5FCE-0000-0010C7461200}6648C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009387Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:30.274{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D6-5FCE-0000-001053431200}7056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009386Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:30.274{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64D6-5FCE-0000-001053431200}7056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009385Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:30.274{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D6-5FCE-0000-001053431200}7056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009384Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:30.227{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D6-5FCE-0000-0010BF3F1200}5736C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009383Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:30.227{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64D6-5FCE-0000-0010BF3F1200}5736C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009382Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:30.227{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D6-5FCE-0000-0010BF3F1200}5736C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009381Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:30.180{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64CB-5FCE-0000-00102DD21100}3312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009380Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:30.180{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64CB-5FCE-0000-00102DD21100}3312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009379Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:30.180{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64CB-5FCE-0000-00102DD21100}3312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009378Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:30.102{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D6-5FCE-0000-001091381200}6844C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009377Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:30.087{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64D6-5FCE-0000-001091381200}6844C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009376Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:30.087{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D6-5FCE-0000-001091381200}6844C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009456Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:31.993{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D7-5FCE-0000-00102A9C1200}6796C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009455Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:31.977{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64D7-5FCE-0000-00102A9C1200}6796C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009454Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:31.977{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D7-5FCE-0000-00102A9C1200}6796C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009453Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:31.946{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D7-5FCE-0000-001043981200}4072C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009452Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:31.930{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64D7-5FCE-0000-001043981200}4072C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009451Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:31.930{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D7-5FCE-0000-001043981200}4072C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009450Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:31.899{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D7-5FCE-0000-001080941200}6816C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009449Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:31.884{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64D7-5FCE-0000-001080941200}6816C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009448Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:31.884{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D7-5FCE-0000-001080941200}6816C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009447Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:31.852{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D7-5FCE-0000-0010EE901200}6784C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009446Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:31.852{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64D7-5FCE-0000-0010EE901200}6784C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009445Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:31.852{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D7-5FCE-0000-0010EE901200}6784C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009444Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:31.805{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D7-5FCE-0000-00103C8D1200}6680C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009443Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:31.805{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64D7-5FCE-0000-00103C8D1200}6680C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009442Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:31.805{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D7-5FCE-0000-00103C8D1200}6680C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009441Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:31.743{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D7-5FCE-0000-00101F891200}6708C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009440Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:31.743{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64D7-5FCE-0000-00101F891200}6708C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009439Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:31.743{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D7-5FCE-0000-00101F891200}6708C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009438Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:31.712{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D7-5FCE-0000-0010A0851200}6180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009437Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:31.696{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64D7-5FCE-0000-0010A0851200}6180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009436Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:31.696{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D7-5FCE-0000-0010A0851200}6180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009435Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:31.649{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D7-5FCE-0000-001062811200}6632C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009434Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:31.634{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64D7-5FCE-0000-001062811200}6632C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009433Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:31.634{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D7-5FCE-0000-001062811200}6632C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009432Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:31.415{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D7-5FCE-0000-0010DB7C1200}4856C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009431Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:31.399{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64D7-5FCE-0000-0010DB7C1200}4856C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009430Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:31.399{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D7-5FCE-0000-0010DB7C1200}4856C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009429Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:31.118{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D7-5FCE-0000-0010B1781200}4608C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009428Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:31.102{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64D7-5FCE-0000-0010B1781200}4608C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009427Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:31.102{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D7-5FCE-0000-0010B1781200}4608C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009426Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:31.071{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D7-5FCE-0000-0010C7741200}2280C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009425Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:31.055{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64D7-5FCE-0000-0010C7741200}2280C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009424Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:31.055{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D7-5FCE-0000-0010C7741200}2280C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009423Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:31.009{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D7-5FCE-0000-0010F8701200}7036C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009422Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:31.009{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64D7-5FCE-0000-0010F8701200}7036C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009421Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:31.009{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D7-5FCE-0000-0010F8701200}7036C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009495Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:32.712{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D8-5FCE-0000-0010B1CB1200}4552C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009494Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:32.712{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64D8-5FCE-0000-0010B1CB1200}4552C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009493Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:32.712{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D8-5FCE-0000-0010B1CB1200}4552C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009492Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:32.649{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D8-5FCE-0000-0010A5C71200}6400C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009491Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:32.634{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64D8-5FCE-0000-0010A5C71200}6400C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009490Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:32.634{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D8-5FCE-0000-0010A5C71200}6400C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009489Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:32.602{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D8-5FCE-0000-00101AC41200}6540C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009488Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:32.587{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64D8-5FCE-0000-00101AC41200}6540C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009487Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:32.587{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D8-5FCE-0000-00101AC41200}6540C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009486Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:32.555{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D8-5FCE-0000-0010D0C01200}6920C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009485Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:32.555{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64D8-5FCE-0000-0010D0C01200}6920C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009484Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:32.555{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D8-5FCE-0000-0010D0C01200}6920C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009483Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:32.524{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D8-5FCE-0000-001050BD1200}6548C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009482Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:32.509{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64D8-5FCE-0000-001050BD1200}6548C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009481Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:32.509{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D8-5FCE-0000-001050BD1200}6548C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009480Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:32.477{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D8-5FCE-0000-0010B0B91200}4128C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009479Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:32.462{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64D8-5FCE-0000-0010B0B91200}4128C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009478Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:32.462{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D8-5FCE-0000-0010B0B91200}4128C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009477Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:32.446{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D8-5FCE-0000-00108EB61200}7164C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009476Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:32.430{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64D8-5FCE-0000-00108EB61200}7164C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009475Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:32.430{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D8-5FCE-0000-00108EB61200}7164C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009474Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:32.399{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D8-5FCE-0000-001019B31200}7060C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009473Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:32.399{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64D8-5FCE-0000-001019B31200}7060C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009472Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:32.399{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D8-5FCE-0000-001019B31200}7060C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009471Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:32.368{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D8-5FCE-0000-0010BFAF1200}6848C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009470Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:32.368{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64D8-5FCE-0000-0010BFAF1200}6848C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009469Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:32.352{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64A5-5FCE-0000-00101EC50F00}6848C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009468Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:32.337{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D8-5FCE-0000-0010BCAC1200}5752C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009467Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:32.337{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64D8-5FCE-0000-0010BCAC1200}5752C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009466Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:32.337{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D8-5FCE-0000-0010BCAC1200}5752C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009465Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:32.290{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D8-5FCE-0000-0010B3A81200}7052C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009464Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:32.274{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64D8-5FCE-0000-0010B3A81200}7052C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009463Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:32.274{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D8-5FCE-0000-0010B3A81200}7052C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009462Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:32.243{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D8-5FCE-0000-00102EA51200}5132C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009461Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:32.243{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64D8-5FCE-0000-00102EA51200}5132C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009460Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:32.243{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D8-5FCE-0000-00102EA51200}5132C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009459Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:32.149{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D8-5FCE-0000-0010ADA01200}2500C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009458Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:32.149{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64D8-5FCE-0000-0010ADA01200}2500C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009457Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:32.149{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D8-5FCE-0000-0010ADA01200}2500C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009509Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:33.993{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D9-5FCE-0000-0010A4E31200}3204C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009508Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:33.977{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64D6-5FCE-0000-00106F611200}3204C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009507Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:33.977{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D6-5FCE-0000-00106F611200}3204C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009506Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:33.915{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D9-5FCE-0000-00104EDF1200}1892C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009505Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:33.915{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64D9-5FCE-0000-00104EDF1200}1892C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009504Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:33.915{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D9-5FCE-0000-00104EDF1200}1892C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009503Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:33.852{B364217D-64D9-5FCE-0000-0010EDD81200}5976C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1758-0\Microsoft.Transactions.Bridge.Dtc.dll2020-12-07 17:22:33.852 10341000x80000000000000009502Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:33.634{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D9-5FCE-0000-0010EDD81200}5976C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009501Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:33.634{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64D9-5FCE-0000-0010EDD81200}5976C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009500Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:33.634{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D9-5FCE-0000-0010EDD81200}5976C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009499Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:33.587{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D9-5FCE-0000-001072D51200}6572C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009498Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:33.571{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64D9-5FCE-0000-001072D51200}6572C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009497Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:33.571{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D9-5FCE-0000-001072D51200}6572C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009496Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:33.509{B364217D-64D8-5FCE-0000-0010B1CB1200}4552C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\11c8-0\Microsoft.Transactions.Bridge.dll2020-12-07 17:22:33.509 10341000x80000000000000009519Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:34.946{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DA-5FCE-0000-001074F01200}3460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009518Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:34.930{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64C0-5FCE-0000-0010EC241100}3460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009517Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:34.930{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C0-5FCE-0000-0010EC241100}3460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009516Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:34.852{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DA-5FCE-0000-0010A4EC1200}6604C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009515Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:34.837{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64DA-5FCE-0000-0010A4EC1200}6604C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009514Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:34.837{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DA-5FCE-0000-0010A4EC1200}6604C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009513Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:34.774{B364217D-64DA-5FCE-0000-0010CFE81200}5472C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1560-0\Microsoft.VisualBasic.Activities.Compiler.dll2020-12-07 17:22:34.774 10341000x80000000000000009512Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:34.165{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DA-5FCE-0000-0010CFE81200}5472C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009511Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:34.165{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64DA-5FCE-0000-0010CFE81200}5472C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009510Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:34.165{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DA-5FCE-0000-0010CFE81200}5472C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009537Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:36.993{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DC-5FCE-0000-0010E8041300}4628C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009536Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:36.977{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64DC-5FCE-0000-0010E8041300}4628C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009535Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:36.977{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DC-5FCE-0000-0010E8041300}4628C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009534Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:36.930{B364217D-64DC-5FCE-0000-0010CC011300}1372C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\55c-0\Microsoft.VisualC.dll2020-12-07 17:22:36.930 10341000x80000000000000009533Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:36.915{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DC-5FCE-0000-0010CC011300}1372C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009532Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:36.899{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64DC-5FCE-0000-0010CC011300}1372C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009531Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:36.899{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DC-5FCE-0000-0010CC011300}1372C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009530Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:36.883{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DC-5FCE-0000-0010EFFE1200}2412C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009529Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:36.868{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64DC-5FCE-0000-0010EFFE1200}2412C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009528Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:36.868{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DC-5FCE-0000-0010EFFE1200}2412C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009527Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:36.821{B364217D-64DC-5FCE-0000-00101FF91200}6308C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\18a4-0\Microsoft.VisualBasic.Compatibility.Data.dll2020-12-07 17:22:36.821 10341000x80000000000000009526Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:36.508{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DC-5FCE-0000-00101FF91200}6308C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009525Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:36.508{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64DC-5FCE-0000-00101FF91200}6308C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009524Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:36.508{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DC-5FCE-0000-00101FF91200}6308C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009523Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:36.446{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DC-5FCE-0000-00102CF51200}6304C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009522Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:36.446{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64DC-5FCE-0000-00102CF51200}6304C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009521Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:36.446{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DC-5FCE-0000-00102CF51200}6304C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009520Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:36.368{B364217D-64DA-5FCE-0000-001074F01200}3460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\d84-0\Microsoft.VisualBasic.Compatibility.dll2020-12-07 17:22:36.368 10341000x80000000000000009579Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:37.852{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DD-5FCE-0000-00109F381300}6552C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009578Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:37.837{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64DD-5FCE-0000-00109F381300}6552C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009577Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:37.837{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DD-5FCE-0000-00109F381300}6552C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009576Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:37.758{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DD-5FCE-0000-001096341300}6884C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009575Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:37.743{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64DD-5FCE-0000-001096341300}6884C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009574Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:37.743{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DD-5FCE-0000-001096341300}6884C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009573Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:37.712{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DD-5FCE-0000-0010DD301300}7008C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009572Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:37.696{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64DD-5FCE-0000-0010DD301300}7008C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009571Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:37.696{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DD-5FCE-0000-0010DD301300}7008C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009570Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:37.524{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DD-5FCE-0000-0010552C1300}6848C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009569Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:37.508{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64D8-5FCE-0000-0010BFAF1200}6848C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009568Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:37.508{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D8-5FCE-0000-0010BFAF1200}6848C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009567Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:37.446{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DD-5FCE-0000-00107A281300}5752C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009566Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:37.430{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64D8-5FCE-0000-0010BCAC1200}5752C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009565Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:37.430{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D8-5FCE-0000-0010BCAC1200}5752C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009564Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:37.368{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D8-5FCE-0000-0010B3A81200}7052C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009563Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:37.368{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64D8-5FCE-0000-0010B3A81200}7052C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009562Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:37.368{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D8-5FCE-0000-0010B3A81200}7052C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009561Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:37.321{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DD-5FCE-0000-001021211300}7044C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009560Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:37.321{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64DD-5FCE-0000-001021211300}7044C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009559Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:37.321{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DD-5FCE-0000-001021211300}7044C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009558Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:37.305{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DD-5FCE-0000-0010241E1300}6792C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009557Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:37.290{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64DD-5FCE-0000-0010241E1300}6792C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009556Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:37.290{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DD-5FCE-0000-0010241E1300}6792C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009555Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:37.274{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DD-5FCE-0000-0010331B1300}4620C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009554Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:37.258{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64D4-5FCE-0000-0010121F1200}4620C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009553Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:37.258{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D4-5FCE-0000-0010121F1200}4620C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009552Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:37.227{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DD-5FCE-0000-0010A2171300}6060C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009551Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:37.227{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64DD-5FCE-0000-0010A2171300}6060C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009550Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:37.227{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DD-5FCE-0000-0010A2171300}6060C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009549Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:37.196{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DD-5FCE-0000-001018141300}5812C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009548Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:37.180{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64DD-5FCE-0000-001018141300}5812C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009547Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:37.180{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DD-5FCE-0000-001018141300}5812C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009546Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:37.149{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DD-5FCE-0000-00108D101300}6996C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009545Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:37.133{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64DD-5FCE-0000-00108D101300}6996C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009544Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:37.133{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DD-5FCE-0000-00108D101300}6996C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009543Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:37.102{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C7-5FCE-0000-00107CAB1100}6776C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009542Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:37.102{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64C7-5FCE-0000-00107CAB1100}6776C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009541Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:37.102{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C7-5FCE-0000-00107CAB1100}6776C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009540Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:37.055{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DD-5FCE-0000-00100D091300}6672C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009539Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:37.040{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64DD-5FCE-0000-00100D091300}6672C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009538Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:37.040{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DD-5FCE-0000-00100D091300}6672C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009615Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:38.680{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DE-5FCE-0000-00106B691300}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009614Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:38.680{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64DE-5FCE-0000-00106B691300}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009613Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:38.680{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DE-5FCE-0000-00106B691300}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009612Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:38.618{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C6-5FCE-0000-0010048F1100}4488C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009611Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:38.618{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64C6-5FCE-0000-0010048F1100}4488C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009610Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:38.618{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C6-5FCE-0000-0010048F1100}4488C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009609Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:38.555{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DE-5FCE-0000-001092611300}4964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009608Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:38.555{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64DE-5FCE-0000-001092611300}4964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009607Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:38.555{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DE-5FCE-0000-001092611300}4964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009606Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:38.493{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DE-5FCE-0000-0010685D1300}4136C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009605Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:38.493{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64DE-5FCE-0000-0010685D1300}4136C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009604Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:38.493{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DE-5FCE-0000-0010685D1300}4136C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009603Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:38.446{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DE-5FCE-0000-001049591300}7048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009602Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:38.430{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64DE-5FCE-0000-001049591300}7048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009601Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:38.430{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DE-5FCE-0000-001049591300}7048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009600Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:38.383{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DE-5FCE-0000-0010FF541300}6356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009599Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:38.368{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64DE-5FCE-0000-0010FF541300}6356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009598Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:38.368{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DE-5FCE-0000-0010FF541300}6356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009597Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:38.337{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DE-5FCE-0000-001022511300}6316C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009596Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:38.321{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64DE-5FCE-0000-001022511300}6316C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009595Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:38.321{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DE-5FCE-0000-001022511300}6316C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009594Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:38.274{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DE-5FCE-0000-0010C84C1300}6248C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009593Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:38.258{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64DE-5FCE-0000-0010C84C1300}6248C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009592Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:38.258{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DE-5FCE-0000-0010C84C1300}6248C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009591Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:38.227{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DE-5FCE-0000-00101C491300}3900C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009590Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:38.227{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64DE-5FCE-0000-00101C491300}3900C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009589Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:38.227{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DE-5FCE-0000-00101C491300}3900C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009588Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:38.180{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DE-5FCE-0000-00105D451300}5860C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009587Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:38.165{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64C6-5FCE-0000-0010BA771100}5860C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009586Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:38.165{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C6-5FCE-0000-0010BA771100}5860C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009585Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:38.133{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DE-5FCE-0000-00106C411300}5572C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009584Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:38.118{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64DE-5FCE-0000-00106C411300}5572C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009583Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:38.118{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DE-5FCE-0000-00106C411300}5572C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009582Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:38.055{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DE-5FCE-0000-0010163D1300}5456C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009581Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:38.040{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64DE-5FCE-0000-0010163D1300}5456C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009580Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:38.040{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DE-5FCE-0000-0010163D1300}5456C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009664Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:39.977{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DF-5FCE-0000-0010B0A71300}1580C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009663Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:39.962{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64DF-5FCE-0000-0010B0A71300}1580C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009662Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:39.962{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DF-5FCE-0000-0010B0A71300}1580C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009661Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:39.930{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DF-5FCE-0000-0010DCA31300}6692C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009660Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:39.915{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64DF-5FCE-0000-0010DCA31300}6692C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009659Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:39.915{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DF-5FCE-0000-0010DCA31300}6692C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009658Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:39.899{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DF-5FCE-0000-001098A01300}3268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009657Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:39.883{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64DF-5FCE-0000-001098A01300}3268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009656Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:39.883{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DF-5FCE-0000-001098A01300}3268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009655Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:39.837{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DF-5FCE-0000-0010B59C1300}7160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009654Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:39.837{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64DF-5FCE-0000-0010B59C1300}7160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009653Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:39.837{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DF-5FCE-0000-0010B59C1300}7160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009652Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:39.805{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DF-5FCE-0000-0010E5981300}5520C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009651Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:39.790{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64DF-5FCE-0000-0010E5981300}5520C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009650Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:39.790{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DF-5FCE-0000-0010E5981300}5520C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009649Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localEXE2020-12-07 17:22:39.743{B364217D-64DF-5FCE-0000-00104C941300}3340C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\d0c-0\Microsoft.Workflow.Compiler.exe2020-12-07 17:22:39.743 10341000x80000000000000009648Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:39.602{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C7-5FCE-0000-0010D0B51100}3340C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009647Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:39.602{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64C7-5FCE-0000-0010D0B51100}3340C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009646Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:39.602{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C7-5FCE-0000-0010D0B51100}3340C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009645Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:39.462{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DF-5FCE-0000-00109F901300}4544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009644Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:39.462{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64DF-5FCE-0000-00109F901300}4544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009643Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:39.462{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DF-5FCE-0000-00109F901300}4544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009642Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:39.430{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DF-5FCE-0000-00103F8D1300}6816C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009641Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:39.415{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64D7-5FCE-0000-001080941200}6816C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009640Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:39.415{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D7-5FCE-0000-001080941200}6816C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009639Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:39.383{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DF-5FCE-0000-0010A2891300}6744C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009638Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:39.368{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64DF-5FCE-0000-0010A2891300}6744C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009637Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:39.368{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DF-5FCE-0000-0010A2891300}6744C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009636Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:39.321{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DF-5FCE-0000-001087851300}5852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009635Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:39.321{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64DF-5FCE-0000-001087851300}5852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009634Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:39.321{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DF-5FCE-0000-001087851300}5852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009633Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:39.290{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DF-5FCE-0000-00103C821300}5640C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009632Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:39.290{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64DF-5FCE-0000-00103C821300}5640C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009631Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:39.290{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DF-5FCE-0000-00103C821300}5640C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009630Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:39.243{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DF-5FCE-0000-00105D7E1300}6712C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009629Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:39.227{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64DF-5FCE-0000-00105D7E1300}6712C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009628Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:39.227{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DF-5FCE-0000-00105D7E1300}6712C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009627Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:39.180{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DF-5FCE-0000-0010117A1300}5964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009626Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:39.165{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64DF-5FCE-0000-0010117A1300}5964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009625Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:39.165{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DF-5FCE-0000-0010117A1300}5964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009624Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:39.118{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DF-5FCE-0000-0010FB751300}4588C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009623Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:39.102{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64DF-5FCE-0000-0010FB751300}4588C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009622Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:39.102{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DF-5FCE-0000-0010FB751300}4588C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009621Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:39.071{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DF-5FCE-0000-0010F6711300}3852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009620Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:39.055{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64DF-5FCE-0000-0010F6711300}3852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009619Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:39.055{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DF-5FCE-0000-0010F6711300}3852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009618Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:38.993{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DF-5FCE-0000-0010076E1300}1180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009617Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:38.993{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64DF-5FCE-0000-0010076E1300}1180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009616Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:38.993{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DF-5FCE-0000-0010076E1300}1180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009682Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:40.305{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64E0-5FCE-0000-00100FBC1300}6544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009681Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:40.305{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64E0-5FCE-0000-00100FBC1300}6544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009680Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:40.305{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64E0-5FCE-0000-00100FBC1300}6544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009679Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:40.212{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64E0-5FCE-0000-0010A0B81300}6904C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009678Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:40.212{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64E0-5FCE-0000-0010A0B81300}6904C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009677Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:40.212{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64E0-5FCE-0000-0010A0B81300}6904C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009676Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:40.180{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64E0-5FCE-0000-001028B51300}7076C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009675Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:40.165{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64E0-5FCE-0000-001028B51300}7076C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009674Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:40.165{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64E0-5FCE-0000-001028B51300}7076C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009673Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:40.149{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64E0-5FCE-0000-00101DB21300}6652C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009672Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:40.133{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64E0-5FCE-0000-00101DB21300}6652C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009671Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:40.133{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64E0-5FCE-0000-00101DB21300}6652C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009670Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:40.055{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64E0-5FCE-0000-0010ADAE1300}7104C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009669Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:40.040{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64E0-5FCE-0000-0010ADAE1300}7104C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009668Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:40.040{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64E0-5FCE-0000-0010ADAE1300}7104C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009667Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:40.008{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64E0-5FCE-0000-001033AB1300}5380C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009666Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:40.008{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64E0-5FCE-0000-001033AB1300}5380C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009665Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:40.008{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64E0-5FCE-0000-001033AB1300}5380C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009703Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:41.977{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64E1-5FCE-0000-0010B9D31300}5592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009702Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:41.977{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64E1-5FCE-0000-0010B9D31300}5592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009701Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:41.977{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64E1-5FCE-0000-0010B9D31300}5592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009700Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:41.930{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64E1-5FCE-0000-00103DD01300}5900C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009699Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:41.930{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64E1-5FCE-0000-00103DD01300}5900C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009698Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:41.930{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64E1-5FCE-0000-00103DD01300}5900C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009697Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:41.868{B364217D-64E1-5FCE-0000-001007CC1300}2668C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\a6c-0\PresentationFramework-SystemData.dll2020-12-07 17:22:41.868 10341000x80000000000000009696Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:41.836{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64E1-5FCE-0000-001007CC1300}2668C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009695Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:41.821{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64E1-5FCE-0000-001007CC1300}2668C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009694Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:41.821{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64E1-5FCE-0000-001007CC1300}2668C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009693Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:41.790{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64E1-5FCE-0000-001088C81300}3996C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009692Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:41.774{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64E1-5FCE-0000-001088C81300}3996C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009691Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:41.774{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64E1-5FCE-0000-001088C81300}3996C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009690Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:41.727{B364217D-64E1-5FCE-0000-001023C41300}6196C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1834-0\PresentationFramework-SystemCore.dll2020-12-07 17:22:41.727 10341000x80000000000000009689Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:41.602{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64CC-5FCE-0000-00101EDF1100}6196C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009688Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:41.602{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64CC-5FCE-0000-00101EDF1100}6196C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009687Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:41.602{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64CC-5FCE-0000-00101EDF1100}6196C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009686Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:41.461{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64E1-5FCE-0000-001040C01300}6288C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009685Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:41.461{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64E1-5FCE-0000-001040C01300}6288C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009684Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:41.461{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64E1-5FCE-0000-001040C01300}6288C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009683Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:41.383{B364217D-64E0-5FCE-0000-00100FBC1300}6544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1990-0\PresentationBuildTasks.dll2020-12-07 17:22:41.383 10341000x80000000000000009728Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:42.961{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64E2-5FCE-0000-00100FF11300}6308C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009727Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:42.946{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64DC-5FCE-0000-00101FF91200}6308C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009726Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:42.946{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DC-5FCE-0000-00101FF91200}6308C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009725Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:42.883{B364217D-64E2-5FCE-0000-001024EC1300}6304C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\18a0-0\PresentationFramework.Aero.dll2020-12-07 17:22:42.883 10341000x80000000000000009724Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:42.446{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DC-5FCE-0000-00102CF51200}6304C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009723Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:42.446{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64DC-5FCE-0000-00102CF51200}6304C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009722Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:42.446{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DC-5FCE-0000-00102CF51200}6304C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009721Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:42.399{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64E2-5FCE-0000-001069E81300}4728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009720Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:42.383{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64E2-5FCE-0000-001069E81300}4728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009719Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:42.383{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64E2-5FCE-0000-001069E81300}4728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009718Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:42.336{B364217D-64E2-5FCE-0000-00101AE41300}1176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\498-0\PresentationFramework-SystemXmlLinq.dll2020-12-07 17:22:42.336 10341000x80000000000000009717Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:42.305{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64E2-5FCE-0000-00101AE41300}1176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009716Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:42.290{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64E2-5FCE-0000-00101AE41300}1176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009715Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:42.290{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64E2-5FCE-0000-00101AE41300}1176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009714Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:42.258{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64E2-5FCE-0000-0010A9E01300}6628C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009713Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:42.243{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64E2-5FCE-0000-0010A9E01300}6628C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009712Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:42.243{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64E2-5FCE-0000-0010A9E01300}6628C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009711Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:42.196{B364217D-64E2-5FCE-0000-0010DBDB1300}5160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1428-0\PresentationFramework-SystemXml.dll2020-12-07 17:22:42.196 10341000x80000000000000009710Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:42.133{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D6-5FCE-0000-00101E691200}5160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009709Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:42.133{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64D6-5FCE-0000-00101E691200}5160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009708Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:42.133{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D6-5FCE-0000-00101E691200}5160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009707Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:42.086{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64CF-5FCE-0000-0010F7F61100}5984C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009706Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:42.086{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64CF-5FCE-0000-0010F7F61100}5984C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009705Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:42.086{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64CF-5FCE-0000-0010F7F61100}5984C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009704Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:42.024{B364217D-64E1-5FCE-0000-0010B9D31300}5592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\15d8-0\PresentationFramework-SystemDrawing.dll2020-12-07 17:22:42.024 10341000x80000000000000009745Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:43.665{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64E3-5FCE-0000-00100B061400}6776C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009744Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:43.649{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64DD-5FCE-0000-00100E0D1300}6776C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009743Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:43.649{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DD-5FCE-0000-00100E0D1300}6776C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009742Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:43.602{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64C7-5FCE-0000-001090AE1100}6852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009741Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:43.602{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64C7-5FCE-0000-001090AE1100}6852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009740Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:43.602{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C7-5FCE-0000-001090AE1100}6852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009739Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:43.540{B364217D-64E3-5FCE-0000-00104CFD1300}6160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1810-0\PresentationFramework.Classic.dll2020-12-07 17:22:43.540 10341000x80000000000000009738Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:43.321{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64E3-5FCE-0000-00104CFD1300}6160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009737Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:43.321{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64E3-5FCE-0000-00104CFD1300}6160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009736Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:43.321{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64E3-5FCE-0000-00104CFD1300}6160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009735Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:43.274{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64E3-5FCE-0000-00109FF91300}3124C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009734Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:43.258{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64E3-5FCE-0000-00109FF91300}3124C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009733Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:43.258{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64E3-5FCE-0000-00109FF91300}3124C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009732Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:43.196{B364217D-64E3-5FCE-0000-0010B1F41300}6964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1b34-0\PresentationFramework.AeroLite.dll2020-12-07 17:22:43.196 10341000x80000000000000009731Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:43.055{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64E3-5FCE-0000-0010B1F41300}6964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009730Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:43.055{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64E3-5FCE-0000-0010B1F41300}6964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009729Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:43.055{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64E3-5FCE-0000-0010B1F41300}6964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009759Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:44.680{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64E4-5FCE-0000-001038181400}5700C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009758Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:44.665{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64C5-5FCE-0000-001009551100}5700C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009757Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:44.665{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64C5-5FCE-0000-001009551100}5700C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009756Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:44.477{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64E4-5FCE-0000-00109E131400}2800C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009755Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:44.461{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64E4-5FCE-0000-00109E131400}2800C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009754Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:44.461{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64E4-5FCE-0000-00109E131400}2800C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009753Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:44.399{B364217D-64E4-5FCE-0000-0010A20E1400}5968C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1750-0\PresentationFramework.Royale.dll2020-12-07 17:22:44.399 10341000x80000000000000009752Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:44.149{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64E4-5FCE-0000-0010A20E1400}5968C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009751Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:44.149{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64E4-5FCE-0000-0010A20E1400}5968C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009750Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:44.149{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64E4-5FCE-0000-0010A20E1400}5968C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009749Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:44.086{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64E4-5FCE-0000-0010ED0A1400}5996C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009748Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:44.086{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64E4-5FCE-0000-0010ED0A1400}5996C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009747Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:44.086{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64E4-5FCE-0000-0010ED0A1400}5996C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009746Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:44.024{B364217D-64E3-5FCE-0000-00100B061400}6776C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1a78-0\PresentationFramework.Luna.dll2020-12-07 17:22:44.024 10341000x80000000000000009766Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:45.915{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64E5-5FCE-0000-00101C221400}4076C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009765Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:45.915{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64E5-5FCE-0000-00101C221400}4076C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009764Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:45.915{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64E5-5FCE-0000-00101C221400}4076C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009763Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:45.805{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D4-5FCE-0000-0010EB2D1200}5708C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009762Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:45.805{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64D4-5FCE-0000-0010EB2D1200}5708C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009761Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:45.805{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D4-5FCE-0000-0010EB2D1200}5708C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009760Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:45.711{B364217D-64E4-5FCE-0000-001038181400}5700C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1644-0\PresentationUI.dll2020-12-07 17:22:45.711 11241100x80000000000000009767Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:48.977{B364217D-64E5-5FCE-0000-00101C221400}4076C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\fec-0\ReachFramework.dll2020-12-07 17:22:48.961 10341000x80000000000000009789Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:49.586{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64E9-5FCE-0000-0010D0401400}5500C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009788Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:49.586{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64E9-5FCE-0000-0010D0401400}5500C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009787Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:49.586{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64E9-5FCE-0000-0010D0401400}5500C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009786Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:49.430{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64E9-5FCE-0000-0010863C1400}7072C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009785Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:49.430{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64E9-5FCE-0000-0010863C1400}7072C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009784Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:49.430{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64E9-5FCE-0000-0010863C1400}7072C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009783Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:49.383{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64E9-5FCE-0000-0010A4381400}6552C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009782Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:49.368{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64DD-5FCE-0000-00109F381300}6552C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009781Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:49.368{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DD-5FCE-0000-00109F381300}6552C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009780Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:49.321{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DD-5FCE-0000-001096341300}6884C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009779Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:49.321{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64DD-5FCE-0000-001096341300}6884C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009778Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:49.321{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DD-5FCE-0000-001096341300}6884C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009777Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:49.258{B364217D-64E9-5FCE-0000-0010542F1400}6928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1b10-0\SMDiagnostics.dll2020-12-07 17:22:49.258 10341000x80000000000000009776Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:49.164{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64E9-5FCE-0000-0010542F1400}6928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009775Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:49.164{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64E9-5FCE-0000-0010542F1400}6928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009774Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:49.164{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64E9-5FCE-0000-0010542F1400}6928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009773Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:49.118{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DD-5FCE-0000-0010552C1300}6848C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009772Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:49.118{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64DD-5FCE-0000-0010552C1300}6848C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009771Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:49.118{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DD-5FCE-0000-0010552C1300}6848C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009770Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:49.071{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64E9-5FCE-0000-001048281400}6564C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009769Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:49.071{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64E9-5FCE-0000-001048281400}6564C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009768Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:49.071{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64E9-5FCE-0000-001048281400}6564C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009796Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:53.758{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64ED-5FCE-0000-0010F54C1400}6192C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009795Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:53.758{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64ED-5FCE-0000-0010F54C1400}6192C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009794Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:53.758{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64ED-5FCE-0000-0010F54C1400}6192C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009793Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:53.508{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64ED-5FCE-0000-00100A481400}6280C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009792Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:53.493{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64ED-5FCE-0000-00100A481400}6280C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009791Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:53.493{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64ED-5FCE-0000-00100A481400}6280C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009790Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:53.352{B364217D-64E9-5FCE-0000-0010D0401400}5500C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\157c-0\System.Activities.dll2020-12-07 17:22:53.352 10341000x80000000000000009807Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:55.961{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64EF-5FCE-0000-001009631400}6508C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009806Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:55.946{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64EF-5FCE-0000-001009631400}6508C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009805Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:55.946{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64EF-5FCE-0000-001009631400}6508C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009804Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:55.883{B364217D-64EF-5FCE-0000-0010D45C1400}1892C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\764-0\System.Activities.DurableInstancing.dll2020-12-07 17:22:55.883 10341000x80000000000000009803Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:55.414{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64EF-5FCE-0000-0010D45C1400}1892C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009802Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:55.399{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64D9-5FCE-0000-00104EDF1200}1892C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009801Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:55.399{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D9-5FCE-0000-00104EDF1200}1892C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009800Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:55.258{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64EF-5FCE-0000-001073581400}4924C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009799Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:55.242{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64EF-5FCE-0000-001073581400}4924C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009798Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:55.242{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64EF-5FCE-0000-001073581400}4924C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009797Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:55.164{B364217D-64ED-5FCE-0000-0010F54C1400}6192C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1830-0\System.Activities.Core.Presentation.dll2020-12-07 17:22:55.164 10341000x80000000000000009810Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:56.149{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64F0-5FCE-0000-001022681400}5740C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009809Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:56.149{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64F0-5FCE-0000-001022681400}5740C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009808Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:22:56.149{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64F0-5FCE-0000-001022681400}5740C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009811Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:22:59.930{B364217D-64F0-5FCE-0000-001022681400}5740C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\166c-0\System.Activities.Presentation.dll2020-12-07 17:22:59.930 10341000x80000000000000009831Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:00.930{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64F4-5FCE-0000-001031811400}6864C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009830Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:00.930{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64F4-5FCE-0000-001031811400}6864C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009829Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:00.930{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64F4-5FCE-0000-001031811400}6864C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009828Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:00.805{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64F4-5FCE-0000-0010CF7D1400}6768C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009827Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:00.789{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64D2-5FCE-0000-0010110D1200}6768C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009826Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:00.789{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D2-5FCE-0000-0010110D1200}6768C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009825Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:00.742{B364217D-64F4-5FCE-0000-0010AE7A1400}4856C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\12f8-0\System.AddIn.Contract.dll2020-12-07 17:23:00.742 10341000x80000000000000009824Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:00.695{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D7-5FCE-0000-0010DB7C1200}4856C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009823Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:00.695{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64D7-5FCE-0000-0010DB7C1200}4856C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009822Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:00.695{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D7-5FCE-0000-0010DB7C1200}4856C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009821Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:00.664{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64F4-5FCE-0000-0010C3771400}5952C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009820Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:00.664{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64F4-5FCE-0000-0010C3771400}5952C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009819Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:00.664{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64F4-5FCE-0000-0010C3771400}5952C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009818Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:00.602{B364217D-64F4-5FCE-0000-0010FD731400}6868C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1ad4-0\System.AddIn.dll2020-12-07 17:23:00.602 10341000x80000000000000009817Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:00.117{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64F4-5FCE-0000-0010FD731400}6868C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009816Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:00.117{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64F4-5FCE-0000-0010FD731400}6868C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009815Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:00.117{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64F4-5FCE-0000-0010FD731400}6868C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009814Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:00.070{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64F4-5FCE-0000-0010A4701400}7036C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009813Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:00.055{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64D7-5FCE-0000-0010F8701200}7036C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009812Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:00.055{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D7-5FCE-0000-0010F8701200}7036C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009835Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:01.914{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64F5-5FCE-0000-0010E1841400}2680C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009834Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:01.914{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64F5-5FCE-0000-0010E1841400}2680C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009833Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:01.914{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64F5-5FCE-0000-0010E1841400}2680C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009832Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:01.836{B364217D-64F4-5FCE-0000-001031811400}6864C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1ad0-0\System.ComponentModel.Composition.dll2020-12-07 17:23:01.836 10341000x80000000000000009853Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:02.914{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64F6-5FCE-0000-001042971400}636C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009852Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:02.899{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64F6-5FCE-0000-001042971400}636C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009851Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:02.899{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64F6-5FCE-0000-001042971400}636C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009850Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:02.774{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64F6-5FCE-0000-00109F931400}6912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009849Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:02.758{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64F6-5FCE-0000-00109F931400}6912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009848Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:02.758{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64F6-5FCE-0000-00109F931400}6912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009847Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:02.711{B364217D-64F6-5FCE-0000-0010B68F1400}7068C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1b9c-0\System.ComponentModel.DataAnnotations.dll2020-12-07 17:23:02.711 13241300x80000000000000009846Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:23:02.586{B364217D-61FE-5FCE-0000-001037C40000}1204C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6ccbd-0x9e02a359) 10341000x80000000000000009845Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:02.445{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64F6-5FCE-0000-0010B68F1400}7068C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009844Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:02.430{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64D4-5FCE-0000-00104A1B1200}7068C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009843Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:02.430{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D4-5FCE-0000-00104A1B1200}7068C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009842Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:02.305{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64F6-5FCE-0000-0010038C1400}6732C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009841Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:02.305{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64F6-5FCE-0000-0010038C1400}6732C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009840Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:02.305{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64F6-5FCE-0000-0010038C1400}6732C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009839Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:02.242{B364217D-64F6-5FCE-0000-001079881400}6720C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1a40-0\System.ComponentModel.Composition.Registration.dll2020-12-07 17:23:02.242 10341000x80000000000000009838Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:02.055{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64F6-5FCE-0000-001079881400}6720C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009837Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:02.055{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64F6-5FCE-0000-001079881400}6720C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009836Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:02.055{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64F6-5FCE-0000-001079881400}6720C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009860Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:03.367{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64F7-5FCE-0000-0010F59E1400}5636C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009859Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:03.352{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64D4-5FCE-0000-0010752A1200}5636C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009858Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:03.352{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D4-5FCE-0000-0010752A1200}5636C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009857Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:03.164{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D8-5FCE-0000-0010ADA01200}2500C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009856Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:03.164{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64D8-5FCE-0000-0010ADA01200}2500C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009855Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:03.164{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D8-5FCE-0000-0010ADA01200}2500C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009854Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:03.102{B364217D-64F6-5FCE-0000-001042971400}636C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\27c-0\System.Data.DataSetExtensions.dll2020-12-07 17:23:03.102 10341000x80000000000000009863Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:13.992{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6501-5FCE-0000-0010ADA61400}5744C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009862Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:13.992{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6501-5FCE-0000-0010ADA61400}5744C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009861Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:13.726{B364217D-64F7-5FCE-0000-0010F59E1400}5636C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1604-0\System.Data.Entity.dll2020-12-07 17:23:13.726 10341000x80000000000000009867Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:14.148{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6502-5FCE-0000-001098AA1400}7124C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009866Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:14.133{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6502-5FCE-0000-001098AA1400}7124C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009865Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:14.133{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6502-5FCE-0000-001098AA1400}7124C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009864Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:13.992{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6501-5FCE-0000-0010ADA61400}5744C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009874Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:15.258{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D8-5FCE-0000-0010B0B91200}4128C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009873Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:15.258{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64D8-5FCE-0000-0010B0B91200}4128C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009872Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:15.258{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D8-5FCE-0000-0010B0B91200}4128C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009871Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:15.117{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6503-5FCE-0000-00109AAF1400}5508C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009870Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:15.117{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6503-5FCE-0000-00109AAF1400}5508C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009869Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:15.117{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6503-5FCE-0000-00109AAF1400}5508C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009868Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:15.039{B364217D-6502-5FCE-0000-001098AA1400}7124C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1bd4-0\System.Data.Entity.Design.dll2020-12-07 17:23:15.039 10341000x80000000000000009881Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:17.383{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DE-5FCE-0000-0010163D1300}5456C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009880Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:17.383{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64DE-5FCE-0000-0010163D1300}5456C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009879Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:17.383{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DE-5FCE-0000-0010163D1300}5456C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009878Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:17.195{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64E0-5FCE-0000-001028B51300}7076C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009877Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:17.195{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64E0-5FCE-0000-001028B51300}7076C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009876Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:17.195{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64E0-5FCE-0000-001028B51300}7076C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009875Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:17.101{B364217D-6503-5FCE-0000-001068B31400}4128C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1020-0\System.Data.Linq.dll2020-12-07 17:23:17.101 10341000x80000000000000009896Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:18.679{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-6506-5FCE-0000-001013CA1400}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009895Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:18.679{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009894Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:18.679{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009893Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:18.679{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009892Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:18.679{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009891Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:18.679{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6506-5FCE-0000-001013CA1400}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009890Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:18.679{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-6506-5FCE-0000-001013CA1400}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009889Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:18.681{B364217D-6506-5FCE-0000-001013CA1400}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009888Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:18.476{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D6-5FCE-0000-0010C7461200}6648C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009887Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:18.476{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64D6-5FCE-0000-0010C7461200}6648C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009886Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:18.476{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D6-5FCE-0000-0010C7461200}6648C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009885Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:18.289{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6506-5FCE-0000-001016C01400}5460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009884Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:18.289{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6506-5FCE-0000-001016C01400}5460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009883Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:18.289{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6506-5FCE-0000-001016C01400}5460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009882Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:18.211{B364217D-6505-5FCE-0000-0010EDBB1400}5456C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1550-0\System.Data.OracleClient.dll2020-12-07 17:23:18.211 10341000x80000000000000009913Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:19.976{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-6507-5FCE-0000-001051CE1400}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009912Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:19.976{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009911Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:19.976{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009910Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:19.976{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009909Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:19.976{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009908Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:19.976{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6507-5FCE-0000-001051CE1400}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009907Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:19.976{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-6507-5FCE-0000-001051CE1400}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009906Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:19.977{B364217D-6507-5FCE-0000-001051CE1400}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009905Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:19.461{B364217D-6507-5FCE-0000-00103DCC1400}50246260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009904Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:19.304{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-6507-5FCE-0000-00103DCC1400}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009903Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:19.304{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009902Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:19.304{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009901Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:19.304{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009900Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:19.304{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009899Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:19.304{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6507-5FCE-0000-00103DCC1400}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009898Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:19.304{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-6507-5FCE-0000-00103DCC1400}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009897Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:19.306{B364217D-6507-5FCE-0000-00103DCC1400}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009920Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:20.226{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6508-5FCE-0000-0010F2D31400}7084C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009919Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:20.211{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64CE-5FCE-0000-00102DF01100}7084C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009918Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:20.211{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64CE-5FCE-0000-00102DF01100}7084C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009917Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:20.086{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64E1-5FCE-0000-001007CC1300}2668C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009916Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:20.086{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64E1-5FCE-0000-001007CC1300}2668C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009915Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:20.086{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64E1-5FCE-0000-001007CC1300}2668C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009914Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:19.992{B364217D-6506-5FCE-0000-0010DBC41400}6648C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\19f8-0\System.Data.Services.dll2020-12-07 17:23:19.992 10341000x80000000000000009939Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:21.992{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64D2-5FCE-0000-0010A2041200}3792C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009938Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:21.992{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64D2-5FCE-0000-0010A2041200}3792C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009937Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:21.929{B364217D-6509-5FCE-0000-00109CDD1400}6604C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\19cc-0\System.Data.Services.Design.dll2020-12-07 17:23:21.929 10341000x80000000000000009936Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:21.461{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DA-5FCE-0000-0010A4EC1200}6604C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009935Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:21.461{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64DA-5FCE-0000-0010A4EC1200}6604C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009934Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:21.461{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DA-5FCE-0000-0010A4EC1200}6604C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009933Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:21.351{B364217D-6509-5FCE-0000-001085D71400}51602280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009932Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:21.304{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6509-5FCE-0000-00104DD91400}6532C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009931Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:21.304{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6509-5FCE-0000-00104DD91400}6532C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009930Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:21.304{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6509-5FCE-0000-00104DD91400}6532C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009929Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:21.226{B364217D-6508-5FCE-0000-0010F2D31400}7084C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1bac-0\System.Data.Services.Client.dll2020-12-07 17:23:21.226 10341000x80000000000000009928Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:21.211{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-64E2-5FCE-0000-0010DBDB1300}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009927Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:21.211{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009926Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:21.211{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009925Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:21.211{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009924Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:21.211{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009923Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:21.211{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64E2-5FCE-0000-0010DBDB1300}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009922Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:21.211{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-64E2-5FCE-0000-0010DBDB1300}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009921Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:21.211{B364217D-6509-5FCE-0000-001085D71400}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009961Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:22.773{B364217D-650A-5FCE-0000-001006EA1400}48566180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009960Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:22.617{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-64F4-5FCE-0000-0010AE7A1400}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009959Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:22.617{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009958Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:22.617{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009957Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:22.617{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009956Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:22.617{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009955Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:22.617{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64F4-5FCE-0000-0010AE7A1400}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009954Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:22.617{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-64F4-5FCE-0000-0010AE7A1400}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009953Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:22.619{B364217D-650A-5FCE-0000-001006EA1400}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009952Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:22.226{B364217D-650A-5FCE-0000-0010AFE71400}66962872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009951Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:22.086{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-650A-5FCE-0000-0010AFE71400}6696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009950Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:22.086{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009949Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:22.086{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009948Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:22.086{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009947Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:22.086{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009946Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:22.086{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-650A-5FCE-0000-0010AFE71400}6696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009945Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:22.086{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-650A-5FCE-0000-0010AFE71400}6696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009944Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:22.086{B364217D-650A-5FCE-0000-0010AFE71400}6696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009943Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:22.054{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DE-5FCE-0000-00106B691300}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009942Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:22.054{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64DE-5FCE-0000-00106B691300}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009941Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:22.054{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DE-5FCE-0000-00106B691300}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009940Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:21.992{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64D2-5FCE-0000-0010A2041200}3792C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009969Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:23.961{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-650B-5FCE-0000-001072EC1400}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009968Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:23.961{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009967Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:23.961{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009966Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:23.961{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009965Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:23.961{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009964Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:23.961{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-650B-5FCE-0000-001072EC1400}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009963Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:23.961{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-650B-5FCE-0000-001072EC1400}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009962Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:23.961{B364217D-650B-5FCE-0000-001072EC1400}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009976Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:24.226{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-650C-5FCE-0000-001013F21400}6660C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009975Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:24.226{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-650C-5FCE-0000-001013F21400}6660C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009974Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:24.226{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-650C-5FCE-0000-001013F21400}6660C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009973Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:24.101{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-650C-5FCE-0000-00106AEE1400}5916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009972Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:24.086{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-650C-5FCE-0000-00106AEE1400}5916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009971Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:24.086{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-650C-5FCE-0000-00106AEE1400}5916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009970Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:24.007{B364217D-650A-5FCE-0000-001019E51400}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1b98-0\System.Data.SqlXml.dll2020-12-07 17:23:23.992 10341000x80000000000000009983Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:25.539{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-650D-5FCE-0000-00108FFA1400}6732C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009982Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:25.523{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64F6-5FCE-0000-0010038C1400}6732C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009981Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:25.523{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64F6-5FCE-0000-0010038C1400}6732C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009980Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:25.351{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-650D-5FCE-0000-001032F61400}6820C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009979Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:25.351{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-650D-5FCE-0000-001032F61400}6820C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009978Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:25.351{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-650D-5FCE-0000-001032F61400}6820C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009977Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:25.273{B364217D-650C-5FCE-0000-001013F21400}6660C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1a04-0\System.Deployment.dll2020-12-07 17:23:25.273 10341000x80000000000000009997Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:31.632{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6513-5FCE-0000-001059261500}6148C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009996Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:31.617{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6513-5FCE-0000-001059261500}6148C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009995Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:31.617{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6513-5FCE-0000-001059261500}6148C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009994Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:31.570{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6513-5FCE-0000-001007231500}6832C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009993Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:31.570{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6513-5FCE-0000-001007231500}6832C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009992Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:31.570{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6513-5FCE-0000-001007231500}6832C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009991Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:31.507{B364217D-6513-5FCE-0000-0010621E1500}1400C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\578-0\System.Device.dll2020-12-07 17:23:31.507 10341000x80000000000000009990Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:31.429{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6513-5FCE-0000-0010621E1500}1400C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009989Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:31.414{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6513-5FCE-0000-0010621E1500}1400C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009988Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:31.414{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6513-5FCE-0000-0010621E1500}1400C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009987Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:31.382{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64DF-5FCE-0000-00109F901300}4544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009986Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:31.382{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64DF-5FCE-0000-00109F901300}4544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009985Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:31.382{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64DF-5FCE-0000-00109F901300}4544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009984Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:31.195{B364217D-650D-5FCE-0000-00108FFA1400}6732C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1a4c-0\System.Design.dll2020-12-07 17:23:31.195 10341000x800000000000000010014Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:32.992{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64E0-5FCE-0000-001033AB1300}5380C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010013Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:32.992{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64E0-5FCE-0000-001033AB1300}5380C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010012Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:32.929{B364217D-6514-5FCE-0000-0010F9391500}5744C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1670-0\System.Drawing.Design.dll2020-12-07 17:23:32.929 10341000x800000000000000010011Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:32.773{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6514-5FCE-0000-0010F9391500}5744C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010010Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:32.757{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6501-5FCE-0000-0010ADA61400}5744C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010009Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:32.757{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6501-5FCE-0000-0010ADA61400}5744C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010008Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:32.726{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6514-5FCE-0000-0010B4361500}5636C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010007Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:32.710{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64F7-5FCE-0000-0010F59E1400}5636C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010006Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:32.710{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64F7-5FCE-0000-0010F59E1400}5636C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010005Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:32.664{B364217D-6514-5FCE-0000-0010E6301500}6800C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1a90-0\System.DirectoryServices.Protocols.dll2020-12-07 17:23:32.664 10341000x800000000000000010004Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:32.335{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6514-5FCE-0000-0010E6301500}6800C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010003Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:32.335{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6514-5FCE-0000-0010E6301500}6800C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010002Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:32.335{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6514-5FCE-0000-0010E6301500}6800C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010001Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:32.304{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6514-5FCE-0000-0010672D1500}3984C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010000Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:32.289{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6514-5FCE-0000-0010672D1500}3984C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009999Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:32.289{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6514-5FCE-0000-0010672D1500}3984C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009998Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:32.226{B364217D-6513-5FCE-0000-001059261500}6148C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1804-0\System.DirectoryServices.AccountManagement.dll2020-12-07 17:23:32.226 10341000x800000000000000010025Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:33.585{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6515-5FCE-0000-0010D44B1500}6536C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010024Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:33.585{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6515-5FCE-0000-0010D44B1500}6536C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010023Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:33.585{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6515-5FCE-0000-0010D44B1500}6536C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010022Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:33.539{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6515-5FCE-0000-00101F481500}6900C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010021Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:33.539{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6515-5FCE-0000-00101F481500}6900C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010020Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:33.539{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6515-5FCE-0000-00101F481500}6900C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010019Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:33.476{B364217D-6515-5FCE-0000-0010B5421500}6056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\17a8-0\System.Dynamic.dll2020-12-07 17:23:33.476 10341000x800000000000000010018Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:33.132{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6515-5FCE-0000-0010B5421500}6056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010017Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:33.117{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6515-5FCE-0000-0010B5421500}6056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010016Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:33.117{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6515-5FCE-0000-0010B5421500}6056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010015Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:32.992{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64E0-5FCE-0000-001033AB1300}5380C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010033Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:34.492{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6516-5FCE-0000-001078561500}6932C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010032Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:34.476{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6516-5FCE-0000-001078561500}6932C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010031Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:34.476{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6516-5FCE-0000-001078561500}6932C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010030Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:34.335{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64E0-5FCE-0000-0010A0B81300}6904C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010029Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:34.335{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-64E0-5FCE-0000-0010A0B81300}6904C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010028Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:34.335{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64E0-5FCE-0000-0010A0B81300}6904C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010027Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:34.226{B364217D-6515-5FCE-0000-0010D44B1500}6536C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1988-0\System.EnterpriseServices.dll2020-12-07 17:23:34.226 11241100x800000000000000010026Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:34.210{B364217D-6515-5FCE-0000-0010D44B1500}6536C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1988-0\System.EnterpriseServices.Wrapper.dll2020-12-07 17:23:34.210 10341000x800000000000000010040Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:36.898{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6518-5FCE-0000-0010B9601500}6644C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010039Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:36.898{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6518-5FCE-0000-0010B9601500}6644C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010038Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:36.898{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6518-5FCE-0000-0010B9601500}6644C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010037Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:36.757{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64E1-5FCE-0000-001023C41300}6196C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010036Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:36.757{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64E1-5FCE-0000-001023C41300}6196C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010035Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:36.757{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64E1-5FCE-0000-001023C41300}6196C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010034Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:36.663{B364217D-6516-5FCE-0000-001078561500}6932C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1b14-0\System.IdentityModel.dll2020-12-07 17:23:36.663 10341000x800000000000000010054Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:37.945{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6519-5FCE-0000-0010E5741500}7084C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010053Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:37.930{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6508-5FCE-0000-0010F2D31400}7084C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010052Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:37.930{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6508-5FCE-0000-0010F2D31400}7084C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010051Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:37.898{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6519-5FCE-0000-0010B8711500}6580C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010050Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:37.898{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6519-5FCE-0000-0010B8711500}6580C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010049Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:37.898{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6519-5FCE-0000-0010B8711500}6580C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010048Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:37.835{B364217D-6519-5FCE-0000-00109A6A1500}5900C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\170c-0\System.IdentityModel.Services.dll2020-12-07 17:23:37.835 10341000x800000000000000010047Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:37.367{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6519-5FCE-0000-00109A6A1500}5900C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010046Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:37.351{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64E1-5FCE-0000-00103DD01300}5900C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010045Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:37.351{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64E1-5FCE-0000-00103DD01300}5900C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010044Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:37.179{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6519-5FCE-0000-001070661500}6284C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010043Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:37.179{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6519-5FCE-0000-001070661500}6284C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010042Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:37.179{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6519-5FCE-0000-001070661500}6284C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010041Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:37.117{B364217D-6518-5FCE-0000-0010B9601500}6644C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\19f4-0\System.IdentityModel.Selectors.dll2020-12-07 17:23:37.117 10341000x800000000000000010078Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:38.929{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64E3-5FCE-0000-0010B1F41300}6964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010077Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:38.929{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-64E3-5FCE-0000-0010B1F41300}6964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010076Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:38.929{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64E3-5FCE-0000-0010B1F41300}6964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010075Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:38.773{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-651A-5FCE-0000-00104C8B1500}812C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010074Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:38.773{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-651A-5FCE-0000-00104C8B1500}812C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010073Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:38.773{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-651A-5FCE-0000-00104C8B1500}812C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010072Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:38.726{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-651A-5FCE-0000-001053871500}4856C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010071Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:38.710{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-650A-5FCE-0000-001006EA1400}4856C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010070Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:38.710{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-650A-5FCE-0000-001006EA1400}4856C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010069Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:38.663{B364217D-651A-5FCE-0000-00101F821500}2384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\950-0\System.IO.Log.dll2020-12-07 17:23:38.663 10341000x800000000000000010068Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:38.335{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-651A-5FCE-0000-00101F821500}2384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010067Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:38.320{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-651A-5FCE-0000-00101F821500}2384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010066Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:38.320{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-651A-5FCE-0000-00101F821500}2384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010065Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:38.273{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-651A-5FCE-0000-0010A47E1500}3644C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010064Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:38.273{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-651A-5FCE-0000-0010A47E1500}3644C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010063Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:38.273{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-651A-5FCE-0000-0010A47E1500}3644C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010062Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:38.210{B364217D-651A-5FCE-0000-00104F7B1500}5896C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1708-0\System.IO.Compression.FileSystem.dll2020-12-07 17:23:38.210 10341000x800000000000000010061Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:38.179{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-651A-5FCE-0000-00104F7B1500}5896C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010060Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:38.163{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-651A-5FCE-0000-00104F7B1500}5896C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010059Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:38.163{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-651A-5FCE-0000-00104F7B1500}5896C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010058Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:38.132{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-651A-5FCE-0000-001019781500}6044C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010057Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:38.132{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-651A-5FCE-0000-001019781500}6044C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010056Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:38.132{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-651A-5FCE-0000-001019781500}6044C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010055Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:38.070{B364217D-6519-5FCE-0000-0010E5741500}7084C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1bac-0\System.IO.Compression.dll2020-12-07 17:23:38.070 10341000x800000000000000010092Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:39.945{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64E4-5FCE-0000-0010ED0A1400}5996C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010091Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:39.945{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64E4-5FCE-0000-0010ED0A1400}5996C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010090Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:39.945{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64E4-5FCE-0000-0010ED0A1400}5996C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010089Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:39.882{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-651B-5FCE-0000-00102B9A1500}6784C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010088Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:39.867{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-651B-5FCE-0000-00102B9A1500}6784C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010087Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:39.867{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-651B-5FCE-0000-00102B9A1500}6784C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010086Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:39.804{B364217D-651B-5FCE-0000-00100A961500}6724C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1a44-0\System.Messaging.dll2020-12-07 17:23:39.804 10341000x800000000000000010085Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:39.398{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-651B-5FCE-0000-00100A961500}6724C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010084Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:39.398{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-651B-5FCE-0000-00100A961500}6724C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010083Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:39.398{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-651B-5FCE-0000-00100A961500}6724C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010082Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:39.351{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-651B-5FCE-0000-00107B921500}6872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010081Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:39.351{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-651B-5FCE-0000-00107B921500}6872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010080Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:39.351{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-651B-5FCE-0000-00107B921500}6872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010079Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:39.288{B364217D-651A-5FCE-0000-0010EE8E1500}6964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1b34-0\System.Management.Instrumentation.dll2020-12-07 17:23:39.288 10341000x800000000000000010113Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:40.976{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-651C-5FCE-0000-001015B21500}6792C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010112Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:40.976{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-651C-5FCE-0000-001015B21500}6792C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010111Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:40.976{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-651C-5FCE-0000-001015B21500}6792C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010110Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:40.913{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-651C-5FCE-0000-001047AE1500}6880C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010109Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:40.913{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-651C-5FCE-0000-001047AE1500}6880C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010108Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:40.913{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-651C-5FCE-0000-001047AE1500}6880C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010107Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:40.851{B364217D-651C-5FCE-0000-0010BDAA1500}7148C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1bec-0\System.Numerics.dll2020-12-07 17:23:40.851 10341000x800000000000000010106Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:40.648{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-651C-5FCE-0000-0010BDAA1500}7148C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010105Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:40.648{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-651C-5FCE-0000-0010BDAA1500}7148C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010104Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:40.648{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-651C-5FCE-0000-0010BDAA1500}7148C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010103Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:40.617{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-651C-5FCE-0000-0010D2A71500}1168C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010102Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:40.617{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-651C-5FCE-0000-0010D2A71500}1168C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010101Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:40.617{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-651C-5FCE-0000-0010D2A71500}1168C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010100Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:40.554{B364217D-651C-5FCE-0000-00101FA41500}3340C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\d0c-0\System.Net.Http.WebRequest.dll2020-12-07 17:23:40.554 10341000x800000000000000010099Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:40.445{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-651C-5FCE-0000-00101FA41500}3340C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010098Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:40.445{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-651C-5FCE-0000-00101FA41500}3340C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010097Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:40.445{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-651C-5FCE-0000-00101FA41500}3340C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010096Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:40.335{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-651C-5FCE-0000-0010A8A01500}5664C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010095Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:40.320{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-651C-5FCE-0000-0010A8A01500}5664C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010094Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:40.320{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-651C-5FCE-0000-0010A8A01500}5664C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010093Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:40.257{B364217D-651B-5FCE-0000-0010599D1500}5996C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\176c-0\System.Net.dll2020-12-07 17:23:40.257 10341000x800000000000000010120Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:41.960{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-651D-5FCE-0000-00106EBA1500}7164C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010119Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:41.960{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-651D-5FCE-0000-00106EBA1500}7164C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010118Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:41.960{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-651D-5FCE-0000-00106EBA1500}7164C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010117Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:41.929{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-651D-5FCE-0000-00108CB71500}6176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010116Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:41.929{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-651D-5FCE-0000-00108CB71500}6176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010115Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:41.929{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-651D-5FCE-0000-00108CB71500}6176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010114Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:41.867{B364217D-651C-5FCE-0000-001015B21500}6792C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1a88-0\System.Printing.dll2020-12-07 17:23:41.867 10341000x800000000000000010134Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:42.695{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-651E-5FCE-0000-0010D4C81500}6528C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010133Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:42.679{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-651E-5FCE-0000-0010D4C81500}6528C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010132Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:42.679{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-651E-5FCE-0000-0010D4C81500}6528C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010131Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:42.538{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-651E-5FCE-0000-0010F5C41500}6384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010130Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:42.538{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-651E-5FCE-0000-0010F5C41500}6384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010129Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:42.538{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-651E-5FCE-0000-0010F5C41500}6384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010128Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:42.476{B364217D-651E-5FCE-0000-001042C11500}6560C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\19a0-0\System.Runtime.Caching.dll2020-12-07 17:23:42.476 10341000x800000000000000010127Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:42.320{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-651E-5FCE-0000-001042C11500}6560C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010126Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:42.304{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-651E-5FCE-0000-001042C11500}6560C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010125Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:42.304{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-651E-5FCE-0000-001042C11500}6560C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010124Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:42.195{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-651E-5FCE-0000-0010F4BD1500}7124C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010123Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:42.179{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6502-5FCE-0000-001098AA1400}7124C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010122Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:42.179{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6502-5FCE-0000-001098AA1400}7124C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010121Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:42.132{B364217D-651D-5FCE-0000-00106EBA1500}7164C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1bfc-0\System.Reflection.Context.dll2020-12-07 17:23:42.132 10341000x800000000000000010148Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:43.476{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-651F-5FCE-0000-0010BFD71500}7156C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010147Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:43.476{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-651F-5FCE-0000-0010BFD71500}7156C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010146Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:43.476{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-651F-5FCE-0000-0010BFD71500}7156C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010145Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:43.445{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-651F-5FCE-0000-001085D41500}6280C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010144Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:43.429{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64ED-5FCE-0000-00100A481400}6280C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010143Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:43.429{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64ED-5FCE-0000-00100A481400}6280C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010142Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:43.382{B364217D-651F-5FCE-0000-00100BD11500}6344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\18c8-0\System.Runtime.Serialization.Formatters.Soap.dll2020-12-07 17:23:43.366 10341000x800000000000000010141Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:43.148{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-651F-5FCE-0000-00100BD11500}6344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010140Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:43.148{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-651F-5FCE-0000-00100BD11500}6344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010139Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:43.148{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-651F-5FCE-0000-00100BD11500}6344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010138Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:43.116{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-651F-5FCE-0000-001010CE1500}6552C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010137Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:43.101{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-64E9-5FCE-0000-0010A4381400}6552C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010136Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:43.101{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64E9-5FCE-0000-0010A4381400}6552C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010135Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:43.054{B364217D-651E-5FCE-0000-0010D4C81500}6528C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1980-0\System.Runtime.DurableInstancing.dll2020-12-07 17:23:43.054 10341000x800000000000000010162Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:44.976{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6520-5FCE-0000-0010C0EC1500}6960C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010161Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:44.976{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6520-5FCE-0000-0010C0EC1500}6960C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010160Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:44.976{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6520-5FCE-0000-0010C0EC1500}6960C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010159Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:44.835{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6520-5FCE-0000-001065E81500}5988C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010158Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:44.835{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6520-5FCE-0000-001065E81500}5988C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010157Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:44.835{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6520-5FCE-0000-001065E81500}5988C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010156Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:44.773{B364217D-6520-5FCE-0000-001056E01500}6164C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1814-0\System.ServiceModel.Activation.dll2020-12-07 17:23:44.773 10341000x800000000000000010155Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:44.257{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6520-5FCE-0000-001056E01500}6164C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010154Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:44.257{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6520-5FCE-0000-001056E01500}6164C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010153Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:44.257{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6520-5FCE-0000-001056E01500}6164C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010152Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:44.101{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6520-5FCE-0000-0010A8DB1500}6396C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010151Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:44.085{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6520-5FCE-0000-0010A8DB1500}6396C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010150Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:44.085{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6520-5FCE-0000-0010A8DB1500}6396C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010149Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:44.023{B364217D-651F-5FCE-0000-0010BFD71500}7156C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1bf4-0\System.Security.dll2020-12-07 17:23:44.023 10341000x800000000000000010169Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:46.679{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6522-5FCE-0000-0010D2F81500}6952C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010168Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:46.679{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6522-5FCE-0000-0010D2F81500}6952C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010167Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:46.679{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6522-5FCE-0000-0010D2F81500}6952C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010166Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:46.616{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6522-5FCE-0000-0010D6F41500}4964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010165Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:46.616{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6522-5FCE-0000-0010D6F41500}4964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010164Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:46.616{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6522-5FCE-0000-0010D6F41500}4964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010163Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:46.523{B364217D-6520-5FCE-0000-0010C0EC1500}6960C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1b30-0\System.ServiceModel.Activities.dll2020-12-07 17:23:46.523 11241100x800000000000000010177Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:47.929{B364217D-6523-5FCE-0000-00104C031600}3792C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\ed0-0\System.ServiceModel.Discovery.dll2020-12-07 17:23:47.929 10341000x800000000000000010176Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:47.226{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6523-5FCE-0000-00104C031600}3792C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010175Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:47.210{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6509-5FCE-0000-0010FCE11400}3792C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010174Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:47.210{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6509-5FCE-0000-0010FCE11400}3792C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010173Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:47.116{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6509-5FCE-0000-00109CDD1400}6604C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010172Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:47.116{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6509-5FCE-0000-00109CDD1400}6604C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010171Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:47.116{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6509-5FCE-0000-00109CDD1400}6604C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010170Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:47.054{B364217D-6522-5FCE-0000-0010D2F81500}6952C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1b28-0\System.ServiceModel.Channels.dll2020-12-07 17:23:47.054 10341000x800000000000000010191Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:48.804{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6524-5FCE-0000-00101E151600}5480C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010190Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:48.788{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-650B-5FCE-0000-001072EC1400}5480C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010189Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:48.788{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-650B-5FCE-0000-001072EC1400}5480C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010188Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:48.663{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-64F4-5FCE-0000-001031811400}6864C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010187Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:48.663{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-64F4-5FCE-0000-001031811400}6864C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010186Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:48.663{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-64F4-5FCE-0000-001031811400}6864C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010185Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:48.601{B364217D-6524-5FCE-0000-0010630D1600}4728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1278-0\System.ServiceModel.Internals.dll2020-12-07 17:23:48.601 10341000x800000000000000010184Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:48.257{B364217D-6460-5FCE-0000-00103A280900}35561164C:\Windows\servicing\TrustedInstaller.exe{B364217D-6460-5FCE-0000-0010A62A0900}4340C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\combase.dll+6eb98|C:\Windows\servicing\TrustedInstaller.exe+43a2|C:\Windows\servicing\TrustedInstaller.exe+1d1d|C:\Windows\servicing\TrustedInstaller.exe+28c6|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010183Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:48.054{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6524-5FCE-0000-0010630D1600}4728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010182Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:48.038{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6524-5FCE-0000-0010630D1600}4728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010181Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:48.038{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6524-5FCE-0000-0010630D1600}4728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010180Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:48.007{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6524-5FCE-0000-0010150A1600}6856C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010179Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:47.991{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6524-5FCE-0000-0010150A1600}6856C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010178Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:47.991{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6524-5FCE-0000-0010150A1600}6856C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010205Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:49.585{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6525-5FCE-0000-0010AC291600}6996C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010204Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:49.569{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6525-5FCE-0000-0010AC291600}6996C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010203Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:49.569{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6525-5FCE-0000-0010AC291600}6996C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010202Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:49.444{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6525-5FCE-0000-001037251600}664C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010201Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:49.444{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6525-5FCE-0000-001037251600}664C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010200Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:49.444{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6525-5FCE-0000-001037251600}664C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010199Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:49.382{B364217D-6525-5FCE-0000-0010AD1F1600}6812C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1a9c-0\System.ServiceModel.ServiceMoniker40.dll2020-12-07 17:23:49.382 10341000x800000000000000010198Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:49.351{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6525-5FCE-0000-0010AD1F1600}6812C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010197Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:49.335{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6525-5FCE-0000-0010AD1F1600}6812C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010196Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:49.335{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6525-5FCE-0000-0010AD1F1600}6812C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010195Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:49.304{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6525-5FCE-0000-0010CD1B1600}4628C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010194Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:49.288{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6525-5FCE-0000-0010CD1B1600}4628C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010193Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:49.288{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6525-5FCE-0000-0010CD1B1600}4628C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010192Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:49.226{B364217D-6524-5FCE-0000-00101E151600}5480C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1568-0\System.ServiceModel.Routing.dll2020-12-07 17:23:49.226 10341000x800000000000000010212Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:50.835{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-651C-5FCE-0000-00101FA41500}3340C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010211Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:50.835{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-651C-5FCE-0000-00101FA41500}3340C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010210Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:50.835{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-651C-5FCE-0000-00101FA41500}3340C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010209Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:50.773{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6526-5FCE-0000-0010D0311600}5664C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010208Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:50.773{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6526-5FCE-0000-0010D0311600}5664C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010207Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:50.773{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6526-5FCE-0000-0010D0311600}5664C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010206Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:50.694{B364217D-6525-5FCE-0000-0010AC291600}6996C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1b54-0\System.ServiceModel.Web.dll2020-12-07 17:23:50.694 10341000x800000000000000010219Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:52.288{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6528-5FCE-0000-00104D3D1600}4108C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010218Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:52.273{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6528-5FCE-0000-00104D3D1600}4108C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010217Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:52.273{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6528-5FCE-0000-00104D3D1600}4108C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010216Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:52.132{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6528-5FCE-0000-0010B8381600}5708C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010215Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:52.116{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6528-5FCE-0000-0010B8381600}5708C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010214Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:23:52.116{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6528-5FCE-0000-0010B8381600}5708C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010213Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:23:52.038{B364217D-6526-5FCE-0000-00100A351600}3340C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\d0c-0\System.Speech.dll2020-12-07 17:23:52.038 13241300x800000000000000010225Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:23:55.507{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueBinary Data 13241300x800000000000000010224Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:23:55.507{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueSizeDWORD (0x00000008) 13241300x800000000000000010223Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:23:55.507{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\KeySizeDWORD (0x00000000) 13241300x800000000000000010222Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:23:55.507{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\TimestampQWORD (0x01d6ccbd-0xbd8db173) 13241300x800000000000000010221Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:23:55.507{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NetworksBinary Data 13241300x800000000000000010220Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:23:55.507{B364217D-61FE-5FCE-0000-0010D5C80000}1248C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NumNetworksDWORD (0x00000001) 13241300x800000000000000010226Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:23:57.085{B364217D-61FE-5FCE-0000-001037C40000}1204C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6ccbd-0xbe7e804a) 10341000x800000000000000010244Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:01.944{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6531-5FCE-0000-0010D8541600}6736C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010243Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:01.944{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6531-5FCE-0000-0010D8541600}6736C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010242Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:01.944{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6531-5FCE-0000-0010D8541600}6736C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010241Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:24:01.882{B364217D-6531-5FCE-0000-001045511600}6548C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1994-0\System.Web.ApplicationServices.dll2020-12-07 17:24:01.882 10341000x800000000000000010240Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:01.819{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6531-5FCE-0000-001045511600}6548C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010239Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:01.819{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6531-5FCE-0000-001045511600}6548C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010238Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:01.819{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6531-5FCE-0000-001045511600}6548C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010237Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:01.788{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6531-5FCE-0000-0010014E1600}5508C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010236Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:01.772{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6503-5FCE-0000-00109AAF1400}5508C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010235Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:01.772{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6503-5FCE-0000-00109AAF1400}5508C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010234Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:24:01.725{B364217D-6531-5FCE-0000-0010B24A1600}7104C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1bc0-0\System.Web.Abstractions.dll2020-12-07 17:24:01.725 10341000x800000000000000010233Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:01.710{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6531-5FCE-0000-0010B24A1600}7104C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010232Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:01.694{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6531-5FCE-0000-0010B24A1600}7104C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010231Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:01.694{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6531-5FCE-0000-0010B24A1600}7104C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010230Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:01.538{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6531-5FCE-0000-001000461600}6844C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010229Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:01.538{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6531-5FCE-0000-001000461600}6844C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010228Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:01.538{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6531-5FCE-0000-001000461600}6844C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010227Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:24:01.288{B364217D-6528-5FCE-0000-00104D3D1600}4108C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\100c-0\System.Web.dll2020-12-07 17:24:01.288 10341000x800000000000000010247Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:02.179{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6532-5FCE-0000-0010B3581600}5572C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010246Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:02.163{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6532-5FCE-0000-0010B3581600}5572C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010245Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:02.163{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6532-5FCE-0000-0010B3581600}5572C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010258Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:05.835{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6535-5FCE-0000-001030671600}5024C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010257Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:05.819{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6507-5FCE-0000-00103DCC1400}5024C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010256Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:05.819{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6507-5FCE-0000-00103DCC1400}5024C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010255Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:24:05.757{B364217D-6535-5FCE-0000-00107C621600}5460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1554-0\System.Web.DataVisualization.Design.dll2020-12-07 17:24:05.757 10341000x800000000000000010254Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:05.460{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6506-5FCE-0000-001016C01400}5460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010253Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:05.460{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6506-5FCE-0000-001016C01400}5460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010252Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:05.460{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6506-5FCE-0000-001016C01400}5460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010251Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:05.319{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6535-5FCE-0000-0010655E1600}6232C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010250Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:05.319{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6535-5FCE-0000-0010655E1600}6232C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010249Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:05.319{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6535-5FCE-0000-0010655E1600}6232C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010248Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:24:05.210{B364217D-6532-5FCE-0000-0010B3581600}5572C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\15c4-0\System.Web.DataVisualization.dll2020-12-07 17:24:05.210 10341000x800000000000000010261Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:06.007{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6518-5FCE-0000-0010B9601500}6644C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010260Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:06.007{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6518-5FCE-0000-0010B9601500}6644C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010259Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:06.007{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6518-5FCE-0000-0010B9601500}6644C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010265Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:07.538{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6537-5FCE-0000-001026741600}5748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010264Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:07.538{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6537-5FCE-0000-001026741600}5748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010263Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:07.538{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6537-5FCE-0000-001026741600}5748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010262Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:24:07.444{B364217D-6536-5FCE-0000-00109F6C1600}6644C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\19f4-0\System.Web.Extensions.dll2020-12-07 17:24:07.444 10341000x800000000000000010279Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:08.694{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6538-5FCE-0000-001060861600}3704C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010278Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:08.678{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6538-5FCE-0000-001060861600}3704C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010277Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:08.678{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6538-5FCE-0000-001060861600}3704C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010276Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:08.553{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6538-5FCE-0000-001038821600}5740C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010275Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:08.553{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6538-5FCE-0000-001038821600}5740C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010274Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:08.553{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6538-5FCE-0000-001038821600}5740C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010273Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:24:08.491{B364217D-6538-5FCE-0000-00105A7D1600}1264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\4f0-0\System.Web.DynamicData.Design.dll2020-12-07 17:24:08.491 10341000x800000000000000010272Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:08.350{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6538-5FCE-0000-00105A7D1600}1264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010271Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:08.350{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6538-5FCE-0000-00105A7D1600}1264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010270Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:08.350{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6538-5FCE-0000-00105A7D1600}1264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010269Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:08.225{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6538-5FCE-0000-00101B791600}7012C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010268Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:08.210{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6538-5FCE-0000-00101B791600}7012C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010267Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:08.210{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6538-5FCE-0000-00101B791600}7012C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010266Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:24:08.147{B364217D-6537-5FCE-0000-001026741600}5748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1674-0\System.Web.DynamicData.dll2020-12-07 17:24:08.147 10341000x800000000000000010296Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:09.913{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6539-5FCE-0000-0010E99D1600}2480C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010295Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:09.913{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6539-5FCE-0000-0010E99D1600}2480C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010294Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:09.913{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6539-5FCE-0000-0010E99D1600}2480C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010293Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:09.741{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6539-5FCE-0000-0010A9991600}4776C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010292Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:09.741{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6539-5FCE-0000-0010A9991600}4776C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010291Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:09.741{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6539-5FCE-0000-0010A9991600}4776C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010290Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:09.585{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6539-5FCE-0000-001063941600}5464C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010289Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:09.569{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6539-5FCE-0000-001063941600}5464C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010288Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:09.569{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6539-5FCE-0000-001063941600}5464C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010287Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:24:09.507{B364217D-6539-5FCE-0000-0010418F1600}5952C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1740-0\System.Web.Entity.Design.dll2020-12-07 17:24:09.507 10341000x800000000000000010286Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:09.225{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6539-5FCE-0000-0010418F1600}5952C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010285Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:09.210{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6539-5FCE-0000-0010418F1600}5952C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010284Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:09.210{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6539-5FCE-0000-0010418F1600}5952C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010283Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:09.085{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6539-5FCE-0000-00102D8B1600}4304C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010282Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:09.069{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6539-5FCE-0000-00102D8B1600}4304C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010281Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:09.069{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6539-5FCE-0000-00102D8B1600}4304C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010280Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:24:09.022{B364217D-6538-5FCE-0000-001060861600}3704C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\e78-0\System.Web.Entity.dll2020-12-07 17:24:09.022 10341000x800000000000000010303Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:10.803{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-653A-5FCE-0000-00102AA71600}2372C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010302Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:10.803{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-653A-5FCE-0000-00102AA71600}2372C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010301Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:10.803{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-653A-5FCE-0000-00102AA71600}2372C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010300Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:10.600{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6524-5FCE-0000-00103C111600}6864C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010299Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:10.600{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6524-5FCE-0000-00103C111600}6864C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010298Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:10.600{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6524-5FCE-0000-00103C111600}6864C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010297Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:24:10.522{B364217D-6539-5FCE-0000-0010E99D1600}2480C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\9b0-0\System.Web.Extensions.Design.dll2020-12-07 17:24:10.522 11241100x800000000000000010318Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:24:12.960{B364217D-653C-5FCE-0000-0010A6B71600}5996C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\176c-0\System.Web.Routing.dll2020-12-07 17:24:12.960 10341000x800000000000000010317Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:12.944{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-653C-5FCE-0000-0010A6B71600}5996C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010316Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:12.928{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-651B-5FCE-0000-0010599D1500}5996C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010315Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:12.928{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-651B-5FCE-0000-0010599D1500}5996C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010314Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:12.788{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-653C-5FCE-0000-001012B31600}5524C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010313Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:12.788{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-653C-5FCE-0000-001012B31600}5524C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010312Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:12.788{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-653C-5FCE-0000-001012B31600}5524C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010311Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:24:12.725{B364217D-653C-5FCE-0000-0010A4AF1600}3192C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\c78-0\System.Web.RegularExpressions.dll2020-12-07 17:24:12.725 10341000x800000000000000010310Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:12.506{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-653C-5FCE-0000-0010A4AF1600}3192C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010309Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:12.491{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-653C-5FCE-0000-0010A4AF1600}3192C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010308Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:12.491{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-653C-5FCE-0000-0010A4AF1600}3192C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010307Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:12.460{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-653C-5FCE-0000-001054AC1600}3924C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010306Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:12.460{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-653C-5FCE-0000-001054AC1600}3924C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010305Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:12.460{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-653C-5FCE-0000-001054AC1600}3924C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010304Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:24:12.366{B364217D-653A-5FCE-0000-00102AA71600}2372C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\944-0\System.Web.Mobile.dll2020-12-07 17:24:12.366 10341000x800000000000000010324Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:13.131{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-653D-5FCE-0000-0010CFBE1600}4056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010323Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:13.131{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-653D-5FCE-0000-0010CFBE1600}4056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010322Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:13.131{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-653D-5FCE-0000-0010CFBE1600}4056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010321Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:13.022{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-653D-5FCE-0000-0010EBBA1600}3836C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010320Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:13.006{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-653D-5FCE-0000-0010EBBA1600}3836C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010319Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:13.006{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-653D-5FCE-0000-0010EBBA1600}3836C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010331Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:14.694{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-653E-5FCE-0000-00100FC81600}5644C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010330Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:14.678{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-653E-5FCE-0000-00100FC81600}5644C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010329Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:14.678{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-653E-5FCE-0000-00100FC81600}5644C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010328Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:14.444{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-653E-5FCE-0000-00103DC41600}6980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010327Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:14.444{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-653E-5FCE-0000-00103DC41600}6980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010326Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:14.444{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-653E-5FCE-0000-00103DC41600}6980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010325Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:24:14.350{B364217D-653D-5FCE-0000-0010CFBE1600}4056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\fd8-0\System.Windows.Controls.Ribbon.dll2020-12-07 17:24:14.350 10341000x800000000000000010335Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:17.866{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-651D-5FCE-0000-00108CB71500}6176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010334Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:17.866{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-651D-5FCE-0000-00108CB71500}6176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010333Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:17.866{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-651D-5FCE-0000-00108CB71500}6176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010332Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:24:17.756{B364217D-653E-5FCE-0000-00100FC81600}5644C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\160c-0\System.Windows.Forms.DataVisualization.dll2020-12-07 17:24:17.756 10341000x800000000000000010364Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:18.866{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6542-5FCE-0000-00101EE61600}6888C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010363Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:18.866{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6542-5FCE-0000-00101EE61600}6888C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010362Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:18.866{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6542-5FCE-0000-00101EE61600}6888C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010361Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:24:18.803{B364217D-6542-5FCE-0000-0010D8E01600}6916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1b04-0\System.Windows.Presentation.dll2020-12-07 17:24:18.803 10341000x800000000000000010360Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:18.725{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6542-5FCE-0000-0010D8E01600}6916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010359Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:18.725{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6542-5FCE-0000-0010D8E01600}6916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010358Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:18.725{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6542-5FCE-0000-0010D8E01600}6916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010357Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:18.678{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6542-5FCE-0000-0010B1DB1600}6928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010356Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:18.678{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-6542-5FCE-0000-0010A2DB1600}6076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010355Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:18.678{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010354Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:18.678{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010353Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:18.678{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010352Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:18.678{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010351Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:18.678{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6542-5FCE-0000-0010B1DB1600}6928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010350Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:18.678{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6542-5FCE-0000-0010B1DB1600}6928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010349Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:18.678{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6542-5FCE-0000-0010A2DB1600}6076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010348Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:18.678{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-6542-5FCE-0000-0010A2DB1600}6076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000010347Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:18.679{B364217D-6542-5FCE-0000-0010A2DB1600}6076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000010346Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:24:18.616{B364217D-6542-5FCE-0000-00100DD81600}6908C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1afc-0\System.Windows.Input.Manipulations.dll2020-12-07 17:24:18.616 10341000x800000000000000010345Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:18.413{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6542-5FCE-0000-00100DD81600}6908C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010344Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:18.413{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6542-5FCE-0000-00100DD81600}6908C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010343Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:18.413{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6542-5FCE-0000-00100DD81600}6908C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010342Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:18.303{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6542-5FCE-0000-0010C4D41600}6088C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010341Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:18.288{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6542-5FCE-0000-0010C4D41600}6088C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010340Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:18.288{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6542-5FCE-0000-0010C4D41600}6088C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010339Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:24:18.241{B364217D-6541-5FCE-0000-001093D01600}5776C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1690-0\System.Windows.Forms.DataVisualization.Design.dll2020-12-07 17:24:18.241 10341000x800000000000000010338Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:17.991{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6541-5FCE-0000-001093D01600}5776C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010337Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:17.991{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6541-5FCE-0000-001093D01600}5776C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010336Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:17.991{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6541-5FCE-0000-001093D01600}5776C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010376Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:19.491{B364217D-6543-5FCE-0000-0010F8EE1600}59921912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010375Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:19.350{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-6543-5FCE-0000-0010F8EE1600}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010374Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:19.350{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010373Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:19.350{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010372Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:19.350{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010371Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:19.350{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010370Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:19.350{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6543-5FCE-0000-0010F8EE1600}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010369Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:19.350{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-6543-5FCE-0000-0010F8EE1600}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000010368Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:19.351{B364217D-6543-5FCE-0000-0010F8EE1600}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000010367Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:19.069{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6543-5FCE-0000-00105BEA1600}6236C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010366Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:19.069{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6543-5FCE-0000-00105BEA1600}6236C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010365Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:19.069{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6543-5FCE-0000-00105BEA1600}6236C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010384Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:20.022{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-6535-5FCE-0000-00107C621600}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010383Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:20.022{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010382Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:20.022{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010381Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:20.022{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010380Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:20.022{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010379Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:20.022{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6535-5FCE-0000-00107C621600}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010378Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:20.022{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-6535-5FCE-0000-00107C621600}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000010377Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:20.023{B364217D-6544-5FCE-0000-00101DF11600}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000010400Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:21.350{B364217D-6545-5FCE-0000-001091F61600}71126644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010399Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:21.272{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6545-5FCE-0000-0010EFF81600}6264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010398Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:21.256{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6545-5FCE-0000-0010EFF81600}6264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010397Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:21.256{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6545-5FCE-0000-0010EFF81600}6264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010396Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:21.209{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-6545-5FCE-0000-001091F61600}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010395Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:21.209{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010394Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:21.209{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010393Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:21.209{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010392Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:21.209{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010391Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:21.209{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6545-5FCE-0000-001091F61600}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010390Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:21.209{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-6545-5FCE-0000-001091F61600}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000010389Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:21.210{B364217D-6545-5FCE-0000-001091F61600}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000010388Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:21.131{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6535-5FCE-0000-001030671600}5024C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010387Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:21.131{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6535-5FCE-0000-001030671600}5024C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010386Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:21.131{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6535-5FCE-0000-001030671600}5024C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010385Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:24:21.038{B364217D-6543-5FCE-0000-00105BEA1600}6236C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\185c-0\System.Workflow.Activities.dll2020-12-07 17:24:21.038 10341000x800000000000000010418Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:22.803{B364217D-6546-5FCE-0000-00101DFF1600}55926580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010417Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:22.647{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-6546-5FCE-0000-00101DFF1600}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010416Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:22.647{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010415Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:22.647{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010414Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:22.647{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010413Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:22.647{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010412Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:22.647{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6546-5FCE-0000-00101DFF1600}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010411Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:22.647{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-6546-5FCE-0000-00101DFF1600}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000010410Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:22.649{B364217D-6546-5FCE-0000-00101DFF1600}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000010409Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:22.241{B364217D-6546-5FCE-0000-001050FD1600}18922660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010408Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:22.084{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-6546-5FCE-0000-001050FD1600}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010407Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:22.084{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010406Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:22.084{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010405Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:22.084{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010404Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:22.084{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010403Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:22.084{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6546-5FCE-0000-001050FD1600}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010402Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:22.084{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-6546-5FCE-0000-001050FD1600}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000010401Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:22.085{B364217D-6546-5FCE-0000-001050FD1600}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000010426Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:23.959{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-6547-5FCE-0000-001089011700}4680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010425Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:23.959{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010424Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:23.959{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010423Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:23.959{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010422Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:23.959{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010421Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:23.959{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6547-5FCE-0000-001089011700}4680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010420Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:23.959{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-6547-5FCE-0000-001089011700}4680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000010419Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:23.960{B364217D-6547-5FCE-0000-001089011700}4680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000010433Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:24.600{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6548-5FCE-0000-001054081700}5448C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010432Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:24.600{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6548-5FCE-0000-001054081700}5448C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010431Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:24.600{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6548-5FCE-0000-001054081700}5448C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010430Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:24.459{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6548-5FCE-0000-0010B3031700}6532C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010429Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:24.459{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6548-5FCE-0000-0010B3031700}6532C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010428Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:24.459{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6548-5FCE-0000-0010B3031700}6532C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010427Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:24:24.350{B364217D-6545-5FCE-0000-0010EFF81600}6264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1878-0\System.Workflow.ComponentModel.dll2020-12-07 17:24:24.350 10341000x800000000000000010440Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:26.553{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-654A-5FCE-0000-0010A2141700}6856C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010439Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:26.537{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6524-5FCE-0000-0010150A1600}6856C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010438Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:26.537{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6524-5FCE-0000-0010150A1600}6856C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010437Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:26.428{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-654A-5FCE-0000-0010A60F1700}5964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010436Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:26.412{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-654A-5FCE-0000-0010A60F1700}5964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010435Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:26.412{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-654A-5FCE-0000-0010A60F1700}5964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010434Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:24:26.334{B364217D-6548-5FCE-0000-001054081700}5448C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1548-0\System.Workflow.Runtime.dll2020-12-07 17:24:26.334 11241100x800000000000000010448Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:24:27.944{B364217D-654B-5FCE-0000-00104D211700}2412C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\96c-0\System.Xaml.Hosting.dll2020-12-07 17:24:27.944 10341000x800000000000000010447Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:27.787{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-654B-5FCE-0000-00104D211700}2412C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010446Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:27.787{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-654B-5FCE-0000-00104D211700}2412C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010445Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:27.787{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-654B-5FCE-0000-00104D211700}2412C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010444Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:27.662{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-654B-5FCE-0000-0010821D1700}6868C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010443Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:27.662{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-654B-5FCE-0000-0010821D1700}6868C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010442Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:27.662{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-654B-5FCE-0000-0010821D1700}6868C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010441Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:24:27.584{B364217D-654A-5FCE-0000-0010A2141700}6856C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1ac8-0\System.WorkflowServices.dll2020-12-07 17:24:27.584 10341000x800000000000000010471Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:28.756{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-654C-5FCE-0000-00106D3C1700}636C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010470Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:28.741{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-654C-5FCE-0000-00106D3C1700}636C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010469Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:28.741{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-654C-5FCE-0000-00106D3C1700}636C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010468Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:28.647{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6513-5FCE-0000-0010081B1500}4544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010467Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:28.647{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6513-5FCE-0000-0010081B1500}4544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010466Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:28.647{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6513-5FCE-0000-0010081B1500}4544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010465Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:24:28.584{B364217D-654C-5FCE-0000-00108F341700}6816C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1aa0-0\UIAutomationClient.dll2020-12-07 17:24:28.584 10341000x800000000000000010464Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:28.241{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-654C-5FCE-0000-00108F341700}6816C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010463Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:28.241{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-654C-5FCE-0000-00108F341700}6816C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010462Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:28.241{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-654C-5FCE-0000-00108F341700}6816C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010461Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:28.178{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-654C-5FCE-0000-0010E2301700}6808C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010460Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:28.178{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-654C-5FCE-0000-0010E2301700}6808C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010459Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:28.178{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-654C-5FCE-0000-0010E2301700}6808C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010458Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:28.131{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-654C-5FCE-0000-00102E2D1700}5684C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010457Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:28.131{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-654C-5FCE-0000-00102E2D1700}5684C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010456Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:28.131{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-654C-5FCE-0000-00102E2D1700}5684C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010455Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:24:28.084{B364217D-654C-5FCE-0000-00100E2A1700}6160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1810-0\System.Xml.Serialization.dll2020-12-07 17:24:28.084 10341000x800000000000000010454Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:28.053{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-654C-5FCE-0000-00100E2A1700}6160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010453Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:28.053{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-654C-5FCE-0000-00100E2A1700}6160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010452Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:28.053{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-654C-5FCE-0000-00100E2A1700}6160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010451Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:28.006{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6539-5FCE-0000-0010E99D1600}2480C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010450Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:28.006{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6539-5FCE-0000-0010E99D1600}2480C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010449Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:28.006{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6539-5FCE-0000-0010E99D1600}2480C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010533Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.772{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-654D-5FCE-0000-0010184D1700}6792C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010532Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.756{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-651C-5FCE-0000-001015B21500}6792C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010531Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.756{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-651C-5FCE-0000-001015B21500}6792C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010530Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.725{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-654D-5FCE-0000-0010B4491700}6640C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010529Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.725{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-654D-5FCE-0000-0010B4491700}6640C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010528Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.725{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-654D-5FCE-0000-0010B4491700}6640C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010527Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:24:29.662{B364217D-654D-5FCE-0000-0010F2451700}6172C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\181c-0\UIAutomationProvider.dll2020-12-07 17:24:29.662 10341000x800000000000000010526Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.569{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-654D-5FCE-0000-0010F2451700}6172C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010525Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.569{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-654D-5FCE-0000-0010F2451700}6172C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010524Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.569{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-654D-5FCE-0000-0010F2451700}6172C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010523Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.522{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-653D-5FCE-0000-0010EBBA1600}3836C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010522Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.522{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-653D-5FCE-0000-0010EBBA1600}3836C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010521Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.522{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-653D-5FCE-0000-0010EBBA1600}3836C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010520Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010519Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-00104B090A00}5692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010518Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010517Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010516Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010515Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010514Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010513Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010512Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010511Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010510Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010509Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010508Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010507Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010506Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010505Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010504Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010503Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-0010EAFF0900}5628C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010502Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6462-5FCE-0000-0010EAFF0900}5628C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010501Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010500Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010499Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010498Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010497Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010496Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010495Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010494Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010493Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010492Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010491Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010490Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010489Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010488Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010487Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010486Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010485Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010484Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010483Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010482Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010481Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010480Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010479Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010478Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010477Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010476Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010475Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010474Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010473Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:29.506{B364217D-61FE-5FCE-0000-0010F9A90000}992632C:\Windows\system32\svchost.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010472Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:24:29.459{B364217D-654C-5FCE-0000-00106D3C1700}636C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\27c-0\UIAutomationClientsideProviders.dll2020-12-07 17:24:29.459 10341000x800000000000000010556Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:30.756{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6542-5FCE-0000-0010A2DB1600}6076C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010555Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:30.756{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6542-5FCE-0000-0010A2DB1600}6076C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010554Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:30.756{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6542-5FCE-0000-0010A2DB1600}6076C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010553Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:30.631{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-654E-5FCE-0000-0010CB641700}6924C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010552Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:30.631{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-654E-5FCE-0000-0010CB641700}6924C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010551Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:30.631{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-654E-5FCE-0000-0010CB641700}6924C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010550Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:30.600{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-654E-5FCE-0000-001045611700}6216C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010549Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:30.584{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-654E-5FCE-0000-001045611700}6216C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010548Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:30.584{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-654E-5FCE-0000-001045611700}6216C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010547Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:30.553{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-654E-5FCE-0000-00108E5D1700}3968C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010546Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:30.537{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-654E-5FCE-0000-00108E5D1700}3968C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010545Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:30.537{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-654E-5FCE-0000-00108E5D1700}3968C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010544Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:30.490{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-654E-5FCE-0000-00103E5A1700}7100C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010543Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:30.475{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-654E-5FCE-0000-00103E5A1700}7100C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010542Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:30.475{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-654E-5FCE-0000-00103E5A1700}7100C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010541Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:24:30.412{B364217D-654E-5FCE-0000-0010C8541700}6564C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\19a4-0\WindowsFormsIntegration.dll2020-12-07 17:24:30.412 10341000x800000000000000010540Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:30.178{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-654E-5FCE-0000-0010C8541700}6564C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010539Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:30.162{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-654E-5FCE-0000-0010C8541700}6564C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010538Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:30.162{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-654E-5FCE-0000-0010C8541700}6564C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010537Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:30.116{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-654E-5FCE-0000-0010E6501700}5752C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010536Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:30.116{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-654E-5FCE-0000-0010E6501700}5752C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010535Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:30.116{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-654E-5FCE-0000-0010E6501700}5752C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010534Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:24:30.053{B364217D-654D-5FCE-0000-0010184D1700}6792C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1a88-0\UIAutomationTypes.dll2020-12-07 17:24:30.053 10341000x800000000000000010597Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:31.975{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-654F-5FCE-0000-001078971700}6764C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010596Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:31.975{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-654F-5FCE-0000-001078971700}6764C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010595Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:31.975{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-654F-5FCE-0000-001078971700}6764C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010594Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:31.959{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-654F-5FCE-0000-0010D0941700}1180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010593Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:31.944{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-654F-5FCE-0000-0010D0941700}1180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010592Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:31.944{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-654F-5FCE-0000-0010D0941700}1180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010591Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:31.944{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-654F-5FCE-0000-00106C921700}6264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010590Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:31.928{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6545-5FCE-0000-0010EFF81600}6264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010589Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:31.928{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6545-5FCE-0000-0010EFF81600}6264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010588Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:31.912{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-654F-5FCE-0000-0010708E1700}7048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010587Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:31.897{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-654F-5FCE-0000-0010708E1700}7048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010586Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:31.897{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-654F-5FCE-0000-0010708E1700}7048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010585Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:31.897{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-654F-5FCE-0000-00100C8C1700}3204C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010584Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:31.881{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-654F-5FCE-0000-00100C8C1700}3204C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010583Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:31.881{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-654F-5FCE-0000-00100C8C1700}3204C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010582Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:31.865{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-654F-5FCE-0000-001092891700}6628C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010581Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:31.865{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-654F-5FCE-0000-001092891700}6628C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010580Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:31.865{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-654F-5FCE-0000-001092891700}6628C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010579Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:31.850{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{00000000-0000-0000-0000-000000000000}6600C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010578Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:31.850{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}6600C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010577Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:31.850{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}6600C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010576Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:31.834{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-654F-5FCE-0000-00105C841700}6272C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010575Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:31.819{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}6272C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010574Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:31.819{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}6272C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010573Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:31.803{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{00000000-0000-0000-0000-000000000000}2484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010572Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:31.803{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010571Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:31.803{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}2484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010570Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:31.787{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-654F-5FCE-0000-0010D87E1700}5560C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010569Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:31.772{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}5560C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010568Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:31.772{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}5560C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010567Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:31.756{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{00000000-0000-0000-0000-000000000000}4552C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010566Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:31.756{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}4552C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010565Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:31.756{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}4552C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010564Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:24:31.678{B364217D-654F-5FCE-0000-00103F711700}6196C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1834-0\XsdBuildTask.dll2020-12-07 17:24:31.678 10341000x800000000000000010563Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:31.459{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-654F-5FCE-0000-00103F711700}6196C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010562Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:31.444{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6518-5FCE-0000-0010195D1500}6196C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010561Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:31.444{B364217D-6457-5FCE-0000-0010071E0800}18403048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6518-5FCE-0000-0010195D1500}6196C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010560Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:31.319{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-654F-5FCE-0000-0010776D1700}6656C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010559Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:31.319{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-654F-5FCE-0000-0010776D1700}6656C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010558Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:31.319{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-654F-5FCE-0000-0010776D1700}6656C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010557Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:24:31.256{B364217D-654E-5FCE-0000-00108A681700}6076C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\17bc-0\XamlBuildTask.dll2020-12-07 17:24:31.256 10341000x800000000000000010726Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.912{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6550-5FCE-0000-0010110F1800}6764C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010725Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.912{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6550-5FCE-0000-0010110F1800}6764C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010724Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.912{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6550-5FCE-0000-0010110F1800}6764C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010723Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.897{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6550-5FCE-0000-0010A80C1800}1180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010722Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.881{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-654F-5FCE-0000-0010D0941700}1180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010721Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.881{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-654F-5FCE-0000-0010D0941700}1180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010720Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.865{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-654F-5FCE-0000-00106C921700}6264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010719Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.865{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-654F-5FCE-0000-00106C921700}6264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010718Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.865{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-654F-5FCE-0000-00106C921700}6264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010717Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.850{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6550-5FCE-0000-0010D5061800}7048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010716Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.834{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-654F-5FCE-0000-0010708E1700}7048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010715Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.834{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-654F-5FCE-0000-0010708E1700}7048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010714Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.834{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6550-5FCE-0000-001040041800}3204C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010713Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.819{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-654F-5FCE-0000-00100C8C1700}3204C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010712Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.819{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-654F-5FCE-0000-00100C8C1700}3204C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010711Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.803{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-651A-5FCE-0000-001019781500}6044C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010710Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.803{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-651A-5FCE-0000-001019781500}6044C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010709Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.803{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-651A-5FCE-0000-001019781500}6044C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010708Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.787{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6550-5FCE-0000-0010DFFE1700}4600C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010707Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.772{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6550-5FCE-0000-0010DFFE1700}4600C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010706Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.772{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6550-5FCE-0000-0010DFFE1700}4600C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010705Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.756{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6550-5FCE-0000-001053FC1700}3828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010704Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.756{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6550-5FCE-0000-001053FC1700}3828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010703Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.756{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6550-5FCE-0000-001053FC1700}3828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010702Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.740{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6550-5FCE-0000-0010D3F91700}6508C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010701Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.740{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6550-5FCE-0000-0010D3F91700}6508C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010700Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.740{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6550-5FCE-0000-0010D3F91700}6508C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010699Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.725{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6550-5FCE-0000-001068F71700}6284C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010698Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.709{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6519-5FCE-0000-001070661500}6284C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010697Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.709{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6519-5FCE-0000-001070661500}6284C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010696Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.709{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6550-5FCE-0000-0010FBF41700}6396C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010695Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.694{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6520-5FCE-0000-0010A8DB1500}6396C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010694Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.694{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6520-5FCE-0000-0010A8DB1500}6396C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010693Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.678{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6550-5FCE-0000-001097F21700}6092C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010692Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.678{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6550-5FCE-0000-001097F21700}6092C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010691Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.678{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6550-5FCE-0000-001097F21700}6092C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010690Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.662{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6550-5FCE-0000-0010B1EF1700}7156C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010689Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.647{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-651F-5FCE-0000-0010BFD71500}7156C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010688Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.647{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-651F-5FCE-0000-0010BFD71500}7156C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010687Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.647{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6550-5FCE-0000-001024ED1700}6380C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010686Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.631{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6550-5FCE-0000-001024ED1700}6380C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010685Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.631{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6550-5FCE-0000-001024ED1700}6380C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010684Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.615{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6550-5FCE-0000-001068EA1700}7108C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010683Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.615{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6550-5FCE-0000-001068EA1700}7108C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010682Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.615{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6550-5FCE-0000-001068EA1700}7108C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010681Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.600{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6550-5FCE-0000-0010FDE71700}6904C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010680Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.584{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6516-5FCE-0000-00107E521500}6904C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010679Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.584{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6516-5FCE-0000-00107E521500}6904C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010678Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.584{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6550-5FCE-0000-00105CE51700}6372C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010677Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.569{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6550-5FCE-0000-00105CE51700}6372C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010676Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.569{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6550-5FCE-0000-00105CE51700}6372C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010675Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.553{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6550-5FCE-0000-00104CE21700}5860C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010674Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.553{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6550-5FCE-0000-00104CE21700}5860C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010673Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.553{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6550-5FCE-0000-00104CE21700}5860C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010672Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.537{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6550-5FCE-0000-00104BDF1700}6392C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010671Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.522{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6550-5FCE-0000-00104BDF1700}6392C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010670Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.522{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6550-5FCE-0000-00104BDF1700}6392C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010669Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.506{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6550-5FCE-0000-0010ABDC1700}6276C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010668Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.506{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6550-5FCE-0000-0010ABDC1700}6276C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010667Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.506{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6550-5FCE-0000-0010ABDC1700}6276C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010666Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.490{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6550-5FCE-0000-0010EBD91700}6844C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010665Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.490{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6550-5FCE-0000-0010EBD91700}6844C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010664Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.490{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6550-5FCE-0000-0010EBD91700}6844C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010663Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.475{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6550-5FCE-0000-001074D71700}5688C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010662Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.459{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6550-5FCE-0000-001074D71700}5688C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010661Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.459{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6550-5FCE-0000-001074D71700}5688C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010660Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.444{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-651C-5FCE-0000-001047AE1500}6880C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010659Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.444{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-651C-5FCE-0000-001047AE1500}6880C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010658Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.444{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-651C-5FCE-0000-001047AE1500}6880C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010657Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.428{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6550-5FCE-0000-001050D21700}4076C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010656Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.428{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6550-5FCE-0000-001050D21700}4076C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010655Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.428{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6550-5FCE-0000-001050D21700}4076C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010654Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.412{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6550-5FCE-0000-0010D8CF1700}6668C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010653Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.397{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6550-5FCE-0000-0010D8CF1700}6668C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010652Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.397{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6550-5FCE-0000-0010D8CF1700}6668C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010651Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.381{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-653E-5FCE-0000-00103DC41600}6980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010650Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.381{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-653E-5FCE-0000-00103DC41600}6980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010649Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.381{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-653E-5FCE-0000-00103DC41600}6980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010648Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.365{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6550-5FCE-0000-001005CB1700}1580C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010647Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.365{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6550-5FCE-0000-001005CB1700}1580C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010646Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.365{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6550-5FCE-0000-001005CB1700}1580C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010645Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.350{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6550-5FCE-0000-00108EC81700}6832C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010644Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.334{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6550-5FCE-0000-00108EC81700}6832C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010643Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.334{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6550-5FCE-0000-00108EC81700}6832C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010642Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.334{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6550-5FCE-0000-00100BC61700}2512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010641Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.319{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6550-5FCE-0000-00100BC61700}2512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010640Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.319{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6550-5FCE-0000-00100BC61700}2512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010639Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.303{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6550-5FCE-0000-00108DC31700}1400C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010638Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.303{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6550-5FCE-0000-00108DC31700}1400C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010637Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.303{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6550-5FCE-0000-00108DC31700}1400C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010636Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.287{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6550-5FCE-0000-00100AC11700}6988C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010635Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.272{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6550-5FCE-0000-00100AC11700}6988C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010634Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.272{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6550-5FCE-0000-00100AC11700}6988C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010633Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.272{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6550-5FCE-0000-001064BE1700}3192C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010632Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.256{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-653C-5FCE-0000-0010A4AF1600}3192C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010631Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.256{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-653C-5FCE-0000-0010A4AF1600}3192C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010630Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.240{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{00000000-0000-0000-0000-000000000000}5852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010629Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.240{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}5852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010628Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.240{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}5852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010627Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.225{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6550-5FCE-0000-001058B91700}6784C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010626Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.209{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-651B-5FCE-0000-00102B9A1500}6784C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010625Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.209{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-651B-5FCE-0000-00102B9A1500}6784C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010624Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.209{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6550-5FCE-0000-0010F5B61700}6720C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010623Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.194{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}6720C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010622Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.194{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}6720C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010621Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.178{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{00000000-0000-0000-0000-000000000000}6852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010620Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.178{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}6852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010619Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.178{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}6852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010618Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.162{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{00000000-0000-0000-0000-000000000000}2856C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010617Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.162{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2856C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010616Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.162{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}2856C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010615Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.147{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6550-5FCE-0000-00104DAF1700}5228C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010614Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.131{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}5228C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010613Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.131{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}5228C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010612Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.115{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-654B-5FCE-0000-0010821D1700}6868C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010611Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.115{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-654B-5FCE-0000-0010821D1700}6868C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010610Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.115{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-654B-5FCE-0000-0010821D1700}6868C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010609Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.084{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6550-5FCE-0000-0010A9A51700}5484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010608Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.069{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}5484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010607Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.069{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}5484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010606Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.037{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6550-5FCE-0000-0010A39F1700}4284C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010605Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.037{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6550-5FCE-0000-0010A39F1700}4284C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010604Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.037{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6550-5FCE-0000-0010A39F1700}4284C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010603Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.022{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6550-5FCE-0000-0010D89C1700}5080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010602Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.006{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6550-5FCE-0000-0010D89C1700}5080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010601Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.006{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-6550-5FCE-0000-0010D89C1700}5080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010600Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.006{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-654F-5FCE-0000-0010F6991700}3644C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010599Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:31.990{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-651A-5FCE-0000-0010A47E1500}3644C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010598Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:31.990{B364217D-6457-5FCE-0000-0010071E0800}18402728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{B364217D-651A-5FCE-0000-0010A47E1500}3644C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010742Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:33.959{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6551-5FCE-0000-0010E4301800}6760C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010741Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:33.959{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6551-5FCE-0000-0010E4301800}6760C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010740Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:33.959{B364217D-6459-5FCE-0000-001094380800}43846804C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-6551-5FCE-0000-0010E4301800}6760C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x800000000000000010739Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:33.803{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6551-5FCE-0000-0010872D1800}5916C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010738Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:33.787{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6551-5FCE-0000-0010872D1800}5916C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010737Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:33.787{B364217D-6459-5FCE-0000-001094380800}43842508C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-6551-5FCE-0000-0010872D1800}5916C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x800000000000000010736Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:33.444{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6459-5FCE-0000-001094380800}4384C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010735Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:33.444{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6551-5FCE-0000-0010F1291800}6856C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010734Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:33.412{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-654A-5FCE-0000-0010A2141700}6856C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010733Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:33.412{B364217D-6459-5FCE-0000-001094380800}43842508C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-654A-5FCE-0000-0010A2141700}6856C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x800000000000000010732Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:33.115{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6457-5FCE-0000-001050120800}2912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010731Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.975{B364217D-61FC-5FCE-0000-001019540000}8564172C:\Windows\system32\lsass.exe{B364217D-6550-5FCE-0000-001008161800}6708C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010730Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.975{B364217D-61FC-5FCE-0000-001019540000}8564172C:\Windows\system32\lsass.exe{B364217D-6550-5FCE-0000-001008161800}6708C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010729Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.959{B364217D-6457-5FCE-0000-001074130800}49605068C:\Windows\system32\conhost.exe{B364217D-6550-5FCE-0000-001008161800}6708C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010728Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.959{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6550-5FCE-0000-001008161800}6708C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010727Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:32.959{B364217D-6457-5FCE-0000-001050120800}29124660C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe{B364217D-6550-5FCE-0000-001008161800}6708C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.DLL+32979|UNKNOWN(00007FF7F4F25147) 11241100x800000000000000010743Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:24:38.725{B364217D-6551-5FCE-0000-0010E4301800}6760C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1a68-0\System.dll2020-12-07 17:24:38.725 10341000x800000000000000010749Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:39.475{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6557-5FCE-0000-0010C2391800}6824C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010748Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:39.459{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6557-5FCE-0000-0010C2391800}6824C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010747Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:39.459{B364217D-6459-5FCE-0000-001094380800}43846804C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-6557-5FCE-0000-0010C2391800}6824C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x800000000000000010746Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:39.147{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-654C-5FCE-0000-00100E2A1700}6160C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010745Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:39.147{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-654C-5FCE-0000-00100E2A1700}6160C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010744Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:39.147{B364217D-6459-5FCE-0000-001094380800}43842508C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-654C-5FCE-0000-00100E2A1700}6160C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x800000000000000010810Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.990{B364217D-6461-5FCE-0000-0010058A0900}18206368C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\execmodelclient.dll+79be|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000010809Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.990{B364217D-6461-5FCE-0000-0010058A0900}18206368C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\execmodelclient.dll+791a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000010808Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.990{B364217D-6461-5FCE-0000-001072CC0900}55122336C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010807Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.990{B364217D-6461-5FCE-0000-001072CC0900}55122336C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010806Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.693{B364217D-6461-5FCE-0000-0010058A0900}18206368C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\shcore.dll+316d6|C:\Windows\System32\shcore.dll+21cbf|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x800000000000000010805Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.693{B364217D-6461-5FCE-0000-0010058A0900}18206368C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\shcore.dll+316d6|C:\Windows\System32\shcore.dll+21cbf|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x800000000000000010804Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.693{B364217D-6461-5FCE-0000-0010058A0900}18206268C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\shcore.dll+316d6|C:\Windows\System32\shcore.dll+21cbf|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x800000000000000010803Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.693{B364217D-6461-5FCE-0000-0010058A0900}18202800C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+2a5631|C:\Windows\System32\Windows.Storage.dll+102e33|C:\Windows\System32\Windows.Storage.dll+102eaa|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000010802Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.693{B364217D-6461-5FCE-0000-0010058A0900}18202800C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+2ccad2|C:\Windows\System32\Windows.Storage.dll+63255|C:\Windows\System32\Windows.Storage.dll+102716|C:\Windows\System32\Windows.Storage.dll+2a5593|C:\Windows\System32\Windows.Storage.dll+102e33|C:\Windows\System32\Windows.Storage.dll+102eaa|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86 10341000x800000000000000010801Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.678{B364217D-6461-5FCE-0000-0010058A0900}18202800C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+144053|C:\Windows\System32\Windows.Storage.dll+1437f9|C:\Windows\System32\Windows.Storage.dll+14370d|C:\Windows\System32\Windows.Storage.dll+1436a6|C:\Windows\System32\Windows.Storage.dll+60b6c|C:\Windows\System32\Windows.Storage.dll+13a466|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86 10341000x800000000000000010800Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.678{B364217D-6461-5FCE-0000-0010058A0900}18202800C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+63043|C:\Windows\System32\Windows.Storage.dll+60e21|C:\Windows\System32\Windows.Storage.dll+60d7b|C:\Windows\System32\Windows.Storage.dll+60b0f|C:\Windows\System32\Windows.Storage.dll+13a466|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000010799Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.678{B364217D-6461-5FCE-0000-0010058A0900}18202800C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+6430f|C:\Windows\System32\Windows.Storage.dll+13a525|C:\Windows\System32\Windows.Storage.dll+13a448|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000010798Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.678{B364217D-6461-5FCE-0000-0010058A0900}18202800C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+13a4f9|C:\Windows\System32\Windows.Storage.dll+13a448|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\Windows.Storage.dll+14735c 10341000x800000000000000010797Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.678{B364217D-6461-5FCE-0000-0010058A0900}18206268C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\Windows.Storage.dll+63fa1|C:\Windows\System32\Windows.Storage.dll+6411c|C:\Windows\System32\Windows.Storage.dll+1a23e9|C:\Windows\System32\Windows.Storage.dll+1a2245|C:\Windows\System32\Windows.Storage.dll+818c6|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000010796Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.662{B364217D-61FC-5FCE-0000-001019540000}856896C:\Windows\system32\lsass.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010795Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.662{B364217D-61FC-5FCE-0000-001019540000}856896C:\Windows\system32\lsass.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010794Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.662{B364217D-6461-5FCE-0000-0010058A0900}18206988C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x800000000000000010793Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.662{B364217D-6461-5FCE-0000-0010058A0900}18206988C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x800000000000000010792Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.662{B364217D-6461-5FCE-0000-0010058A0900}18206368C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+8635|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+853f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17343|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000010791Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.662{B364217D-6461-5FCE-0000-0010058A0900}18206988C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x800000000000000010790Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.662{B364217D-6461-5FCE-0000-0010058A0900}18206988C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x800000000000000010789Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.662{B364217D-6461-5FCE-0000-0010058A0900}18206208C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+8635|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+853f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17343|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000010788Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.647{B364217D-6461-5FCE-0000-0010058A0900}18206320C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x800000000000000010787Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.647{B364217D-6461-5FCE-0000-0010058A0900}18206320C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x800000000000000010786Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.647{B364217D-6461-5FCE-0000-0010058A0900}18206988C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x800000000000000010785Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.647{B364217D-6461-5FCE-0000-0010058A0900}18206988C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x800000000000000010784Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.647{B364217D-6461-5FCE-0000-0010058A0900}18205444C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+8635|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+853f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17343|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000010783Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.647{B364217D-6461-5FCE-0000-0010058A0900}18206988C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x800000000000000010782Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.647{B364217D-6461-5FCE-0000-0010058A0900}18206988C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x800000000000000010781Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.647{B364217D-6461-5FCE-0000-0010058A0900}18204308C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+8635|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+853f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17343|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000010780Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.647{B364217D-6461-5FCE-0000-0010058A0900}18204308C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+8635|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+853f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17343|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000010779Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.600{B364217D-6461-5FCE-0000-0010058A0900}18204308C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000010778Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.600{B364217D-6461-5FCE-0000-0010058A0900}18204308C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000010777Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.600{B364217D-6461-5FCE-0000-001072CC0900}55122336C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010776Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.600{B364217D-6461-5FCE-0000-001072CC0900}55122336C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010775Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.584{B364217D-6461-5FCE-0000-0010058A0900}18204308C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000010774Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.584{B364217D-6461-5FCE-0000-0010058A0900}18204308C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000010773Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.584{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+f4bf7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x800000000000000010772Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.584{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+f4bf7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x800000000000000010771Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.568{B364217D-6461-5FCE-0000-001072CC0900}55125604C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+514bf|C:\Windows\System32\SHELL32.dll+52065|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010770Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.568{B364217D-6461-5FCE-0000-001072CC0900}55125604C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+51f7e|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010769Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.568{B364217D-6461-5FCE-0000-001072CC0900}55125604C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010768Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.568{B364217D-61FE-5FCE-0000-0010F9A90000}992644C:\Windows\system32\svchost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010767Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.568{B364217D-61FE-5FCE-0000-0010F9A90000}992644C:\Windows\system32\svchost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010766Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.568{B364217D-61FE-5FCE-0000-0010F9A90000}992644C:\Windows\system32\svchost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010765Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.568{B364217D-61FE-5FCE-0000-0010F9A90000}992644C:\Windows\system32\svchost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010764Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.568{B364217D-61FE-5FCE-0000-0010F9A90000}992644C:\Windows\system32\svchost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010763Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.568{B364217D-61FE-5FCE-0000-0010F9A90000}992644C:\Windows\system32\svchost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010762Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.568{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a344|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010761Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.568{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010760Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.568{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010759Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.568{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000010758Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.568{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000010757Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.568{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000010756Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.568{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010755Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.568{B364217D-6461-5FCE-0000-001072CC0900}55124740C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+144dd9|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010754Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.568{B364217D-6461-5FCE-0000-001072CC0900}55123120C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010753Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.568{B364217D-6461-5FCE-0000-001072CC0900}55123120C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010752Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.568{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010751Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.568{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+18985|C:\Windows\System32\TwinUI.dll+1a704|C:\Windows\System32\TwinUI.dll+1a608|C:\Windows\System32\TwinUI.dll+1ba5f|C:\Windows\System32\TwinUI.dll+1a02d|C:\Windows\System32\TwinUI.dll+1cef1|C:\Windows\System32\TwinUI.dll+40e510|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0 10341000x800000000000000010750Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:41.568{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+18985|C:\Windows\System32\TwinUI.dll+1a76c|C:\Windows\System32\TwinUI.dll+1a5f5|C:\Windows\System32\TwinUI.dll+1ba5f|C:\Windows\System32\TwinUI.dll+1a02d|C:\Windows\System32\TwinUI.dll+1cef1|C:\Windows\System32\TwinUI.dll+40e510|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0 10341000x800000000000000010821Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:42.990{B364217D-6461-5FCE-0000-001072CC0900}55122336C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010820Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:42.990{B364217D-6461-5FCE-0000-001072CC0900}55122336C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010819Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:24:42.975{B364217D-6557-5FCE-0000-0010C2391800}6824C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1aa8-0\System.Xml.dll2020-12-07 17:24:42.975 10341000x800000000000000010818Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:42.818{B364217D-6461-5FCE-0000-001072CC0900}55125224C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+6468|C:\Windows\System32\SHCORE.dll+6437|C:\Windows\System32\SHCORE.dll+6327|C:\Windows\System32\SHCORE.dll+629d|C:\Windows\System32\SHCORE.dll+61aa|C:\Windows\System32\SHELL32.dll+46770|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8028B65C8D8)|UNKNOWN(FFFFB8A5FAFC21F8)|UNKNOWN(FFFFB8A5FAFC2377)|UNKNOWN(FFFFB8A5FAFBCA01)|UNKNOWN(FFFFB8A5FAFBE3CA)|UNKNOWN(FFFFB8A5FAFBC686)|UNKNOWN(FFFFF8028B373E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+49fdb|C:\Windows\System32\SHELL32.dll+10a26a|C:\Windows\System32\SHCORE.dll+2fedd 10341000x800000000000000010817Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:42.818{B364217D-6461-5FCE-0000-001072CC0900}55125224C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+6468|C:\Windows\System32\SHCORE.dll+124a5|C:\Windows\System32\SHELL32.dll+46251|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8028B65C8D8)|UNKNOWN(FFFFB8A5FAFC21F8)|UNKNOWN(FFFFB8A5FAFC2377)|UNKNOWN(FFFFB8A5FAFBCA01)|UNKNOWN(FFFFB8A5FAFBE3CA)|UNKNOWN(FFFFB8A5FAFBC686)|UNKNOWN(FFFFF8028B373E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+49fdb|C:\Windows\System32\SHELL32.dll+10a26a|C:\Windows\System32\SHCORE.dll+2fedd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010816Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:42.615{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+f4bf7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x800000000000000010815Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:42.615{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+f4bf7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x800000000000000010814Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:42.006{B364217D-6461-5FCE-0000-001072CC0900}55122336C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010813Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:42.006{B364217D-6461-5FCE-0000-001072CC0900}55122336C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010812Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:42.006{B364217D-6461-5FCE-0000-001072CC0900}55122336C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010811Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:42.006{B364217D-6461-5FCE-0000-001072CC0900}55122336C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010852Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:43.334{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-655B-5FCE-0000-00109B621800}6896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010851Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:43.318{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-655B-5FCE-0000-00109B621800}6896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010850Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:43.318{B364217D-6459-5FCE-0000-001094380800}43846804C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-655B-5FCE-0000-00109B621800}6896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x800000000000000010849Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:43.256{B364217D-6461-5FCE-0000-0010058A0900}18206368C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000010848Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:43.256{B364217D-6461-5FCE-0000-0010058A0900}18206368C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000010847Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:43.256{B364217D-6461-5FCE-0000-0010058A0900}18206268C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000010846Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:43.256{B364217D-6461-5FCE-0000-0010058A0900}18206368C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000010845Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:43.256{B364217D-6461-5FCE-0000-0010058A0900}18206268C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000010844Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:43.256{B364217D-6461-5FCE-0000-0010058A0900}18206368C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000010843Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:43.182{B364217D-6461-5FCE-0000-0010058A0900}18206368C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+26127|C:\Windows\system32\windows.cortana.Desktop.dll+2151b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000010842Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:43.182{B364217D-6461-5FCE-0000-0010058A0900}18206368C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+214b1|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000010841Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:43.174{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-655B-5FCE-0000-0010AE5D1800}6880C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010840Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:43.166{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6550-5FCE-0000-0010CDD41700}6880C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010839Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:43.166{B364217D-6459-5FCE-0000-001094380800}43842508C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-6550-5FCE-0000-0010CDD41700}6880C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x800000000000000010838Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:43.118{B364217D-61FE-5FCE-0000-00102EBA0000}11362168C:\Windows\system32\svchost.exe{B364217D-655B-5FCE-0000-0010CC5A1800}5600C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010837Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:43.118{B364217D-61FE-5FCE-0000-00102EBA0000}11361624C:\Windows\system32\svchost.exe{B364217D-655B-5FCE-0000-0010CC5A1800}5600C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010836Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:43.118{B364217D-6461-5FCE-0000-0010058A0900}18206368C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+26127|C:\Windows\system32\windows.cortana.Desktop.dll+2151b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000010835Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:43.114{B364217D-6461-5FCE-0000-0010058A0900}18206368C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+214b1|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000010834Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:43.114{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-655B-5FCE-0000-0010CC5A1800}5600C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010833Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:43.110{B364217D-645F-5FCE-0000-0010EA600800}42163292C:\Windows\system32\csrss.exe{B364217D-655B-5FCE-0000-0010CC5A1800}5600C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010832Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:43.110{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-655B-5FCE-0000-0010CC5A1800}5600C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010831Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:43.106{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-655B-5FCE-0000-0010CC5A1800}5600C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010830Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:43.053{B364217D-61FE-5FCE-0000-00102EBA0000}11362168C:\Windows\system32\svchost.exe{B364217D-6550-5FCE-0000-00106BCD1700}6980C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010829Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:43.053{B364217D-61FE-5FCE-0000-00102EBA0000}11361624C:\Windows\system32\svchost.exe{B364217D-6550-5FCE-0000-00106BCD1700}6980C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010828Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:43.053{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6550-5FCE-0000-00106BCD1700}6980C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010827Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:43.053{B364217D-645F-5FCE-0000-0010EA600800}42163292C:\Windows\system32\csrss.exe{B364217D-6550-5FCE-0000-00106BCD1700}6980C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010826Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:43.053{B364217D-6461-5FCE-0000-0010058A0900}18206368C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000010825Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:43.053{B364217D-6461-5FCE-0000-0010058A0900}18206368C:\Windows\System32\RuntimeBroker.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000010824Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:43.053{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6550-5FCE-0000-00106BCD1700}6980C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010823Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:43.053{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6550-5FCE-0000-00106BCD1700}6980C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010822Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:42.990{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010894Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:44.163{B364217D-6461-5FCE-0000-001072CC0900}55125604C:\Windows\Explorer.EXE{B364217D-655C-5FCE-0000-0010326A1800}6392C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+19439|C:\Windows\System32\SHELL32.dll+51390|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010893Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:44.163{B364217D-6461-5FCE-0000-001072CC0900}55125604C:\Windows\Explorer.EXE{B364217D-655C-5FCE-0000-0010326A1800}6392C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010892Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:44.163{B364217D-6461-5FCE-0000-0010D0970900}31525316C:\Windows\system32\taskhostw.exe{B364217D-655C-5FCE-0000-0010536B1800}7008C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010891Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:44.163{B364217D-6461-5FCE-0000-001072CC0900}55125944C:\Windows\Explorer.EXE{B364217D-655C-5FCE-0000-0010326A1800}6392C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+19439|C:\Windows\System32\SHELL32.dll+51390|C:\Windows\System32\SHELL32.dll+12d84|C:\Windows\Explorer.EXE+2fdf8|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010890Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:44.163{B364217D-6461-5FCE-0000-001072CC0900}55125944C:\Windows\Explorer.EXE{B364217D-655C-5FCE-0000-0010326A1800}6392C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+12d84|C:\Windows\Explorer.EXE+2fdf8|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010889Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:44.163{B364217D-6461-5FCE-0000-001072CC0900}55125944C:\Windows\Explorer.EXE{B364217D-655C-5FCE-0000-0010326A1800}6392C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+19439|C:\Windows\System32\SHELL32.dll+51390|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+2fd1a|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010888Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:44.163{B364217D-6461-5FCE-0000-001072CC0900}55125944C:\Windows\Explorer.EXE{B364217D-655C-5FCE-0000-0010326A1800}6392C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+2fd1a|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010887Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:44.163{B364217D-6461-5FCE-0000-001072CC0900}55125944C:\Windows\Explorer.EXE{B364217D-655C-5FCE-0000-0010326A1800}6392C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+3007c|C:\Windows\Explorer.EXE+30028|C:\Windows\Explorer.EXE+2fccc|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010886Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:44.162{B364217D-6461-5FCE-0000-001072CC0900}55124740C:\Windows\Explorer.EXE{B364217D-655C-5FCE-0000-0010536B1800}7008C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+514bf|C:\Windows\System32\SHELL32.dll+519e0|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010885Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:44.162{B364217D-6461-5FCE-0000-001072CC0900}55124740C:\Windows\Explorer.EXE{B364217D-655C-5FCE-0000-0010536B1800}7008C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e75c0|C:\Windows\System32\SHELL32.dll+5199c|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010884Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:44.162{B364217D-6461-5FCE-0000-001072CC0900}55124740C:\Windows\Explorer.EXE{B364217D-655C-5FCE-0000-0010536B1800}7008C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51970|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010883Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:44.162{B364217D-6461-5FCE-0000-001072CC0900}55124740C:\Windows\Explorer.EXE{B364217D-655C-5FCE-0000-0010536B1800}7008C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+144dd9|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010882Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:44.131{B364217D-6461-5FCE-0000-0010058A0900}18206988C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x800000000000000010881Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:44.131{B364217D-6461-5FCE-0000-0010058A0900}18206988C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x800000000000000010880Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:44.131{B364217D-6461-5FCE-0000-0010058A0900}18206268C:\Windows\System32\RuntimeBroker.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+8635|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+853f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17343|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000010879Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:44.115{B364217D-61FE-5FCE-0000-00102EBA0000}11362168C:\Windows\system32\svchost.exe{B364217D-655C-5FCE-0000-0010536B1800}7008C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010878Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:44.115{B364217D-61FE-5FCE-0000-00102EBA0000}11361624C:\Windows\system32\svchost.exe{B364217D-655C-5FCE-0000-0010536B1800}7008C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010877Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:44.115{B364217D-655C-5FCE-0000-0010536B1800}70086920C:\Windows\system32\conhost.exe{B364217D-655C-5FCE-0000-0010326A1800}6392C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010876Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:44.115{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+f4bf7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x800000000000000010875Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:44.115{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+f4bf7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x800000000000000010874Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:44.115{B364217D-645F-5FCE-0000-0010EA600800}42163324C:\Windows\system32\csrss.exe{B364217D-655C-5FCE-0000-0010536B1800}7008C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010873Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:44.100{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010872Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:44.100{B364217D-6461-5FCE-0000-001072CC0900}55124808C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010871Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:44.100{B364217D-6461-5FCE-0000-001072CC0900}55124808C:\Windows\Explorer.EXE{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010870Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:44.100{B364217D-6461-5FCE-0000-001072CC0900}55122336C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010869Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:44.100{B364217D-6461-5FCE-0000-001072CC0900}55122336C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010868Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:44.100{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010867Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:44.100{B364217D-6461-5FCE-0000-0010D0970900}31525316C:\Windows\system32\taskhostw.exe{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010866Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:44.100{B364217D-645F-5FCE-0000-0010EA600800}42163292C:\Windows\system32\csrss.exe{B364217D-6550-5FCE-0000-00104BDF1700}6392C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010865Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:44.100{B364217D-6461-5FCE-0000-001072CC0900}55127104C:\Windows\Explorer.EXE{B364217D-6550-5FCE-0000-00104BDF1700}6392C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+13755f|C:\Windows\System32\windows.storage.dll+1371d5|C:\Windows\System32\windows.storage.dll+136cc6|C:\Windows\System32\windows.storage.dll+138138|C:\Windows\System32\windows.storage.dll+136aee|C:\Windows\System32\windows.storage.dll+10a3b5|C:\Windows\System32\windows.storage.dll+10a734|C:\Windows\System32\windows.storage.dll+109d70|C:\Windows\System32\windows.storage.dll+1241fa|C:\Windows\System32\windows.storage.dll+123f5a|C:\Windows\System32\SHELL32.dll+77991|C:\Windows\System32\SHELL32.dll+767f6|C:\Windows\System32\SHELL32.dll+110821|C:\Windows\System32\SHELL32.dll+7888e|C:\Windows\System32\windows.storage.dll+12f9e|C:\Windows\System32\windows.storage.dll+131a1|C:\Windows\System32\windows.storage.dll+12ddf|C:\Windows\System32\SHELL32.dll+1108a7|C:\Windows\System32\SHELL32.dll+7888e|C:\Windows\System32\SHELL32.dll+16ce0b 10341000x800000000000000010864Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:44.100{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010863Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:44.100{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010862Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:44.100{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010861Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:44.100{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000010860Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:44.106{B364217D-655C-5FCE-0000-0010326A1800}6392C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{B364217D-6460-5FCE-0000-0020BD420900}0x942bd2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B364217D-6461-5FCE-0000-001072CC0900}5512C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x800000000000000010859Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:44.084{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010858Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:44.084{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010857Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:44.084{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9c27|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9b25|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2d9c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e 10341000x800000000000000010856Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:44.084{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9a54|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9af1|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2d9c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e 10341000x800000000000000010855Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:44.084{B364217D-6461-5FCE-0000-001072CC0900}55125260C:\Windows\Explorer.EXE{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9ac5|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2d9c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000010854Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:44.084{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010853Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:44.084{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010901Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:45.943{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010900Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:45.943{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010899Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:45.943{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010898Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:45.928{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010897Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:45.928{B364217D-645F-5FCE-0000-0010EA600800}42163292C:\Windows\system32\csrss.exe{B364217D-654E-5FCE-0000-00108A681700}6076C:\Windows\System32\Wbem\scrcons.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010896Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:45.928{B364217D-655C-5FCE-0000-0010326A1800}63927096C:\Windows\system32\cmd.exe{B364217D-654E-5FCE-0000-00108A681700}6076C:\Windows\System32\Wbem\scrcons.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000010895Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:45.941{B364217D-655D-5FCE-0000-00109F741800}6076C:\Windows\System32\wbem\scrcons.exe10.0.14393.0 (rs1_release.160715-1616)WMI Standard Event Consumer - scriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationScrConsscrcons.exeC:\Users\Administrator\ATTACKRANGE\Administrator{B364217D-6460-5FCE-0000-0020BD420900}0x942bd2HighMD5=0E7BCB183DB07DDE6CA7C7D598E66194,SHA256=7154B0624717DFE981520581E31AD7E53F3D77BA9EDCEED88BE397AA5E4E9B19,IMPHASH=68EDF5B5E1487BC2F7B0BE8EAD7EB2FB{B364217D-655C-5FCE-0000-0010326A1800}6392C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 11241100x800000000000000010906Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:24:47.959{B364217D-655B-5FCE-0000-00109B621800}6896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1af0-0\System.Core.dll2020-12-07 17:24:47.959 10341000x800000000000000010905Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:47.490{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000010904Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:47.490{B364217D-61FE-5FCE-0000-0010E0650000}6041056C:\Windows\system32\svchost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000010903Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:47.490{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000010902Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:47.490{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000010916Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:48.756{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6560-5FCE-0000-0010C17F1800}5544C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010915Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:48.740{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6560-5FCE-0000-0010C17F1800}5544C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010914Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:48.740{B364217D-6459-5FCE-0000-001094380800}43846804C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-6560-5FCE-0000-0010C17F1800}5544C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x800000000000000010913Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:48.693{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6560-5FCE-0000-00106D7C1800}6740C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010912Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:48.678{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6560-5FCE-0000-00106D7C1800}6740C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010911Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:48.678{B364217D-6459-5FCE-0000-001094380800}43842508C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-6560-5FCE-0000-00106D7C1800}6740C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x800000000000000010910Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:24:48.615{B364217D-6560-5FCE-0000-001060781800}6316C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\18ac-0\System.Configuration.dll2020-12-07 17:24:48.615 10341000x800000000000000010909Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:48.162{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-6560-5FCE-0000-001060781800}6316C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010908Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:48.162{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6560-5FCE-0000-001060781800}6316C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010907Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:48.162{B364217D-6459-5FCE-0000-001094380800}43846804C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-6560-5FCE-0000-001060781800}6316C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x800000000000000010932Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:49.943{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-654F-5FCE-0000-0010F8811700}2484C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010931Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:49.943{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-654F-5FCE-0000-0010F8811700}2484C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010930Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:49.943{B364217D-6459-5FCE-0000-001094380800}43846804C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-654F-5FCE-0000-0010F8811700}2484C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x800000000000000010929Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:49.584{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6561-5FCE-0000-00103A841800}6252C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010928Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:49.568{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6561-5FCE-0000-00103A841800}6252C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010927Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:49.568{B364217D-6459-5FCE-0000-001094380800}43842508C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-6561-5FCE-0000-00103A841800}6252C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x800000000000000010926Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:49.553{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000010925Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:49.553{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000010924Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:49.553{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000010923Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:49.553{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000010922Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:49.553{B364217D-61FE-5FCE-0000-0010E0650000}6043880C:\Windows\system32\svchost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000010921Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:49.553{B364217D-6461-5FCE-0000-0010F2920900}10485272C:\Windows\system32\sihost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+1a0fc|C:\Windows\System32\modernexecserver.dll+1a09f|C:\Windows\System32\modernexecserver.dll+198f6|C:\Windows\System32\modernexecserver.dll+2c9d4|C:\Windows\System32\modernexecserver.dll+35efd|C:\Windows\System32\modernexecserver.dll+4d3a1|C:\Windows\System32\modernexecserver.dll+4d2bf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010920Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:24:49.459{B364217D-6560-5FCE-0000-0010C17F1800}5544C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\15a8-0\System.Drawing.dll2020-12-07 17:24:49.459 10341000x800000000000000010919Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:49.381{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000010918Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:49.381{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6473-5FCE-0000-001062E40C00}5556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000010917Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:49.381{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6474-5FCE-0000-001042F70C00}6008C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000010939Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:53.990{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6565-5FCE-0000-001085911800}6892C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010938Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:53.974{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6565-5FCE-0000-001085911800}6892C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010937Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:53.974{B364217D-6459-5FCE-0000-001094380800}43846804C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-6565-5FCE-0000-001085911800}6892C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x800000000000000010936Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:53.646{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6565-5FCE-0000-0010A58D1800}4596C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010935Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:53.631{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6565-5FCE-0000-0010A58D1800}4596C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010934Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:53.631{B364217D-6459-5FCE-0000-001094380800}43842508C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-6565-5FCE-0000-0010A58D1800}4596C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x800000000000000010933Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:24:53.428{B364217D-6561-5FCE-0000-001048881800}2484C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\9b4-0\System.Data.dll2020-12-07 17:24:53.428 10341000x800000000000000010943Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:59.880{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-656B-5FCE-0000-0010DD961800}3792C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010942Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:59.880{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-656B-5FCE-0000-0010DD961800}3792C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010941Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:24:59.880{B364217D-6459-5FCE-0000-001094380800}43842508C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-656B-5FCE-0000-0010DD961800}3792C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x800000000000000010940Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:24:59.615{B364217D-6565-5FCE-0000-001085911800}6892C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1aec-0\System.Windows.Forms.dll2020-12-07 17:24:59.615 10341000x800000000000000010960Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:00.849{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-656C-5FCE-0000-001081A91800}6868C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010959Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:00.834{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6550-5FCE-0000-00102CAC1700}6868C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010958Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:00.834{B364217D-6459-5FCE-0000-001094380800}43846804C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-6550-5FCE-0000-00102CAC1700}6868C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x800000000000000010957Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:00.787{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-656C-5FCE-0000-0010FDA51800}5468C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010956Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:00.771{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-656C-5FCE-0000-0010FDA51800}5468C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010955Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:00.771{B364217D-6459-5FCE-0000-001094380800}43842508C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-656C-5FCE-0000-0010FDA51800}5468C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x800000000000000010954Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:25:00.709{B364217D-656C-5FCE-0000-001026A21800}6708C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1a34-0\System.ServiceProcess.dll2020-12-07 17:25:00.709 10341000x800000000000000010953Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:00.599{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6550-5FCE-0000-001008161800}6708C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010952Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:00.599{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6550-5FCE-0000-001008161800}6708C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010951Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:00.599{B364217D-6459-5FCE-0000-001094380800}43846804C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-6550-5FCE-0000-001008161800}6708C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x800000000000000010950Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:00.474{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-656C-5FCE-0000-0010849E1800}6764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010949Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:00.459{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6550-5FCE-0000-0010110F1800}6764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010948Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:00.459{B364217D-6459-5FCE-0000-001094380800}43842508C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-6550-5FCE-0000-0010110F1800}6764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x800000000000000010947Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:25:00.396{B364217D-656C-5FCE-0000-0010899A1800}1180C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\49c-0\System.Runtime.Remoting.dll2020-12-07 17:25:00.396 10341000x800000000000000010946Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:00.037{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6550-5FCE-0000-0010A80C1800}1180C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010945Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:00.037{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6550-5FCE-0000-0010A80C1800}1180C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010944Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:00.037{B364217D-6459-5FCE-0000-001094380800}43846804C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-6550-5FCE-0000-0010A80C1800}1180C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x800000000000000010974Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:01.802{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-656D-5FCE-0000-001091B71800}6776C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010973Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:01.787{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-656D-5FCE-0000-001091B71800}6776C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010972Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:01.787{B364217D-6459-5FCE-0000-001094380800}43846804C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-656D-5FCE-0000-001091B71800}6776C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x800000000000000010971Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:01.630{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-656D-5FCE-0000-001066B31800}2372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010970Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:01.615{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-653A-5FCE-0000-00102AA71600}2372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010969Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:01.615{B364217D-6459-5FCE-0000-001094380800}43842508C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-653A-5FCE-0000-00102AA71600}2372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x800000000000000010968Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:25:01.568{B364217D-656D-5FCE-0000-001026B01800}5228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\146c-0\Accessibility.dll2020-12-07 17:25:01.568 10341000x800000000000000010967Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:01.521{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-656D-5FCE-0000-001026B01800}5228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010966Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:01.505{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6550-5FCE-0000-00104DAF1700}5228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010965Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:01.505{B364217D-6459-5FCE-0000-001094380800}43846804C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-6550-5FCE-0000-00104DAF1700}5228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x800000000000000010964Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:01.490{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-656D-5FCE-0000-00102BAD1800}5916C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010963Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:01.474{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6551-5FCE-0000-0010872D1800}5916C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010962Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:01.474{B364217D-6459-5FCE-0000-001094380800}43842508C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-6551-5FCE-0000-0010872D1800}5916C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x800000000000000010961Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:25:01.365{B364217D-656C-5FCE-0000-001081A91800}6868C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1ad4-0\System.Management.dll2020-12-07 17:25:01.365 10341000x800000000000000010984Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:02.896{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-656E-5FCE-0000-001054C31800}6844C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010983Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:02.880{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6550-5FCE-0000-0010EBD91700}6844C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010982Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:02.880{B364217D-6459-5FCE-0000-001094380800}43846804C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-6550-5FCE-0000-0010EBD91700}6844C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x800000000000000010981Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:02.834{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-656E-5FCE-0000-001010C01800}6564C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010980Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:02.818{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-654E-5FCE-0000-0010C8541700}6564C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010979Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:02.818{B364217D-6459-5FCE-0000-001094380800}43842508C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-654E-5FCE-0000-0010C8541700}6564C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x800000000000000010978Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:02.771{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-656E-5FCE-0000-001087BC1800}5368C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010977Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:02.771{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-656E-5FCE-0000-001087BC1800}5368C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010976Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:02.771{B364217D-6459-5FCE-0000-001094380800}43842508C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-656E-5FCE-0000-001087BC1800}5368C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x800000000000000010975Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:25:02.677{B364217D-656D-5FCE-0000-001091B71800}6776C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1a78-0\Microsoft.VisualBasic.dll2020-12-07 17:25:02.677 10341000x800000000000000010995Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:03.927{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-656F-5FCE-0000-0010EACE1800}7144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010994Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:03.927{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-656F-5FCE-0000-0010EACE1800}7144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010993Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:03.927{B364217D-6459-5FCE-0000-001094380800}43842508C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-656F-5FCE-0000-0010EACE1800}7144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x800000000000000010992Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:25:03.865{B364217D-656F-5FCE-0000-0010DCCA1800}6076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\17bc-0\System.Transactions.dll2020-12-07 17:25:03.865 10341000x800000000000000010991Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:03.537{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-656F-5FCE-0000-0010DCCA1800}6076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010990Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:03.521{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-655D-5FCE-0000-00109F741800}6076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010989Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:03.521{B364217D-6459-5FCE-0000-001094380800}43846804C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-655D-5FCE-0000-00109F741800}6076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x800000000000000010988Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:03.474{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-656F-5FCE-0000-00104CC71800}6540C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010987Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:03.459{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-656F-5FCE-0000-00104CC71800}6540C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010986Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:03.459{B364217D-6459-5FCE-0000-001094380800}43842508C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-656F-5FCE-0000-00104CC71800}6540C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x800000000000000010985Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:25:03.396{B364217D-656E-5FCE-0000-001054C31800}6844C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1abc-0\System.DirectoryServices.dll2020-12-07 17:25:03.396 11241100x800000000000000010999Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:25:04.865{B364217D-6570-5FCE-0000-0010C3D21800}5460C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1554-0\System.Web.Services.dll2020-12-07 17:25:04.865 10341000x800000000000000010998Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:04.068{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6570-5FCE-0000-0010C3D21800}5460C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010997Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:04.052{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6544-5FCE-0000-00101DF11600}5460C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010996Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:04.052{B364217D-6459-5FCE-0000-001094380800}43846804C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-6544-5FCE-0000-00101DF11600}5460C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x800000000000000011019Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:05.709{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6571-5FCE-0000-001065E91800}1656C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011018Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:05.693{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6571-5FCE-0000-001065E91800}1656C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011017Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:05.693{B364217D-6459-5FCE-0000-001094380800}43846804C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-6571-5FCE-0000-001065E91800}1656C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x800000000000000011016Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:05.584{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6571-5FCE-0000-001005E61800}2908C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011015Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:05.568{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6571-5FCE-0000-001005E61800}2908C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011014Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:05.568{B364217D-6459-5FCE-0000-001094380800}43842508C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-6571-5FCE-0000-001005E61800}2908C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x800000000000000011013Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:25:05.521{B364217D-6571-5FCE-0000-00104EE11800}6236C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\185c-0\System.Configuration.Install.dll2020-12-07 17:25:05.521 10341000x800000000000000011012Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:05.349{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6571-5FCE-0000-00104EE11800}6236C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011011Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:05.334{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6543-5FCE-0000-00105BEA1600}6236C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011010Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:05.334{B364217D-6459-5FCE-0000-001094380800}43846804C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-6543-5FCE-0000-00105BEA1600}6236C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x800000000000000011009Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:05.193{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6542-5FCE-0000-0010C4D41600}6088C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011008Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:05.193{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6542-5FCE-0000-0010C4D41600}6088C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011007Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:05.193{B364217D-6459-5FCE-0000-001094380800}43842508C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-6542-5FCE-0000-0010C4D41600}6088C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x800000000000000011006Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:25:05.130{B364217D-6571-5FCE-0000-00107FDA1800}6792C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1a88-0\CustomMarshalers.dll2020-12-07 17:25:05.130 10341000x800000000000000011005Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:05.052{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6571-5FCE-0000-00107FDA1800}6792C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011004Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:05.037{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-654D-5FCE-0000-0010184D1700}6792C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011003Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:05.037{B364217D-6459-5FCE-0000-001094380800}43846804C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-654D-5FCE-0000-0010184D1700}6792C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x800000000000000011002Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:05.005{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6570-5FCE-0000-001024D71800}6196C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011001Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:04.990{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-654F-5FCE-0000-00103F711700}6196C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011000Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:04.990{B364217D-6459-5FCE-0000-001094380800}43842508C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-654F-5FCE-0000-00103F711700}6196C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x800000000000000011023Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:06.958{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6572-5FCE-0000-001041ED1800}2484C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011022Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:06.912{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6561-5FCE-0000-001048881800}2484C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011021Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:06.912{B364217D-6459-5FCE-0000-001094380800}43842508C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-6561-5FCE-0000-001048881800}2484C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x800000000000000011020Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:25:06.709{B364217D-6571-5FCE-0000-001065E91800}1656C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\678-0\System.Xaml.dll2020-12-07 17:25:06.709 10341000x800000000000000011026Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:07.334{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6573-5FCE-0000-001008F11800}4608C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011025Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:07.302{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6573-5FCE-0000-001008F11800}4608C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011024Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:07.302{B364217D-6459-5FCE-0000-001094380800}43846804C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-6573-5FCE-0000-001008F11800}4608C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x800000000000000011033Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:09.943{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6575-5FCE-0000-0010D7F91800}6696C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011032Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:09.927{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6575-5FCE-0000-0010D7F91800}6696C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011031Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:09.927{B364217D-6459-5FCE-0000-001094380800}43846804C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-6575-5FCE-0000-0010D7F91800}6696C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x800000000000000011030Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:09.787{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6575-5FCE-0000-001041F61800}988C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011029Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:09.771{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6575-5FCE-0000-001041F61800}988C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011028Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:09.771{B364217D-6459-5FCE-0000-001094380800}43842508C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-6575-5FCE-0000-001041F61800}988C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x800000000000000011027Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:25:09.521{B364217D-6573-5FCE-0000-001008F11800}4608C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1200-0\WindowsBase.dll2020-12-07 17:25:09.521 11241100x800000000000000011041Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:25:10.896{B364217D-6576-5FCE-0000-001064011900}1840C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\730-0\System.Xml.Linq.dll2020-12-07 17:25:10.896 10341000x800000000000000011040Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:10.615{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6576-5FCE-0000-001064011900}1840C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011039Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:10.583{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6457-5FCE-0000-0010071E0800}1840C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011038Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:10.583{B364217D-6459-5FCE-0000-001094380800}43846804C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-6457-5FCE-0000-0010071E0800}1840C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x800000000000000011037Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:10.412{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6576-5FCE-0000-00108CFD1800}4612C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011036Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:10.380{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6576-5FCE-0000-00108CFD1800}4612C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011035Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:10.380{B364217D-6459-5FCE-0000-001094380800}43842508C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-6576-5FCE-0000-00108CFD1800}4612C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x800000000000000011034Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:25:10.273{B364217D-6575-5FCE-0000-0010D7F91800}6696C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1a28-0\System.Net.Http.dll2020-12-07 17:25:10.273 10341000x800000000000000011054Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:11.990{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6577-5FCE-0000-0010EF101900}2400C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011053Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:11.975{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6577-5FCE-0000-0010EF101900}2400C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011052Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:11.975{B364217D-6459-5FCE-0000-001094380800}43846804C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-6577-5FCE-0000-0010EF101900}2400C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x800000000000000011051Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:11.927{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6577-5FCE-0000-0010830D1900}4728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011050Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:11.912{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6577-5FCE-0000-0010830D1900}4728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011049Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:11.912{B364217D-6459-5FCE-0000-001094380800}43842508C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-6577-5FCE-0000-0010830D1900}4728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x800000000000000011048Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:25:11.833{B364217D-6577-5FCE-0000-001009091900}3852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\f0c-0\System.Runtime.WindowsRuntime.dll2020-12-07 17:25:11.833 10341000x800000000000000011047Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:11.349{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6577-5FCE-0000-001009091900}3852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011046Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:11.334{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6577-5FCE-0000-001009091900}3852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011045Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:11.334{B364217D-6459-5FCE-0000-001094380800}43846804C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-6577-5FCE-0000-001009091900}3852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x800000000000000011044Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:11.021{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6577-5FCE-0000-001066051900}6132C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011043Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:11.013{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6577-5FCE-0000-001066051900}6132C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011042Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:11.013{B364217D-6459-5FCE-0000-001094380800}43842508C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-6577-5FCE-0000-001066051900}6132C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x800000000000000011061Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:12.287{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6578-5FCE-0000-00103A181900}6684C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011060Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:12.255{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6578-5FCE-0000-00103A181900}6684C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011059Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:12.255{B364217D-6459-5FCE-0000-001094380800}43846804C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-6578-5FCE-0000-00103A181900}6684C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x800000000000000011058Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:12.115{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6551-5FCE-0000-0010E4301800}6760C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011057Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:12.115{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6551-5FCE-0000-0010E4301800}6760C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011056Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:12.115{B364217D-6459-5FCE-0000-001094380800}43842508C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-6551-5FCE-0000-0010E4301800}6760C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x800000000000000011055Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:25:12.052{B364217D-6577-5FCE-0000-0010EF101900}2400C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\960-0\System.Runtime.WindowsRuntime.UI.Xaml.dll2020-12-07 17:25:12.052 10341000x800000000000000011065Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:13.927{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-654C-5FCE-0000-00106D3C1700}636C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011064Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:13.927{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-654C-5FCE-0000-00106D3C1700}636C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011063Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:13.927{B364217D-6459-5FCE-0000-001094380800}43842508C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-654C-5FCE-0000-00106D3C1700}636C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x800000000000000011062Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:25:13.771{B364217D-6578-5FCE-0000-00103A181900}6684C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1a1c-0\System.Runtime.Serialization.dll2020-12-07 17:25:13.771 10341000x800000000000000011068Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:14.490{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-657A-5FCE-0000-001062231900}6860C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011067Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:14.458{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-657A-5FCE-0000-001062231900}6860C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011066Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:14.458{B364217D-6459-5FCE-0000-001094380800}43846804C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-657A-5FCE-0000-001062231900}6860C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x800000000000000011076Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:18.693{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-654E-5FCE-0000-00108E5D1700}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011075Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:18.693{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011074Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:18.693{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011073Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:18.693{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011072Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:18.693{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011071Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:18.693{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-654E-5FCE-0000-00108E5D1700}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011070Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:18.693{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-654E-5FCE-0000-00108E5D1700}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011069Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:18.693{B364217D-657E-5FCE-0000-0010492C1900}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000011085Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:19.521{B364217D-657F-5FCE-0000-0010C82D1900}69246552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011084Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:19.365{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-654E-5FCE-0000-0010CB641700}6924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011083Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:19.365{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011082Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:19.365{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011081Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:19.365{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011080Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:19.365{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011079Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:19.365{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-654E-5FCE-0000-0010CB641700}6924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011078Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:19.365{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-654E-5FCE-0000-0010CB641700}6924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011077Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:19.365{B364217D-657F-5FCE-0000-0010C82D1900}6924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000011093Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:20.036{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-6580-5FCE-0000-0010D02F1900}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011092Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:20.036{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011091Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:20.036{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011090Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:20.036{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011089Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:20.036{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011088Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:20.036{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6580-5FCE-0000-0010D02F1900}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011087Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:20.036{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-6580-5FCE-0000-0010D02F1900}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011086Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:20.037{B364217D-6580-5FCE-0000-0010D02F1900}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000011102Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:21.380{B364217D-6581-5FCE-0000-0010D5311900}60765500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011101Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:21.224{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-656F-5FCE-0000-0010DCCA1800}6076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011100Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:21.224{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011099Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:21.224{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011098Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:21.224{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011097Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:21.224{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011096Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:21.224{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-656F-5FCE-0000-0010DCCA1800}6076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011095Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:21.224{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-656F-5FCE-0000-0010DCCA1800}6076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011094Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:21.225{B364217D-6581-5FCE-0000-0010D5311900}6076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000011120Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:22.818{B364217D-6582-5FCE-0000-001030351900}71563900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011119Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:22.661{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-6550-5FCE-0000-0010B1EF1700}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011118Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:22.661{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011117Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:22.661{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011116Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:22.661{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011115Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:22.661{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011114Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:22.661{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6550-5FCE-0000-0010B1EF1700}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011113Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:22.661{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-6550-5FCE-0000-0010B1EF1700}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011112Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:22.663{B364217D-6582-5FCE-0000-001030351900}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000011111Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:22.239{B364217D-6582-5FCE-0000-00106B331900}58644880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011110Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:22.083{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-6582-5FCE-0000-00106B331900}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011109Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:22.083{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011108Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:22.083{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011107Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:22.083{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011106Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:22.083{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011105Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:22.083{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6582-5FCE-0000-00106B331900}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011104Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:22.083{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-6582-5FCE-0000-00106B331900}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011103Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:22.084{B364217D-6582-5FCE-0000-00106B331900}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000011128Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:23.802{B364217D-62A5-5FCE-0000-00105CB70600}27364548C:\Windows\system32\conhost.exe{B364217D-6583-5FCE-0000-0010CD371900}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011127Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:23.802{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011126Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:23.802{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011125Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:23.802{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011124Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:23.802{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011123Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:23.802{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6583-5FCE-0000-0010CD371900}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011122Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:23.802{B364217D-62A5-5FCE-0000-00108BB20600}1360748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B364217D-6583-5FCE-0000-0010CD371900}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011121Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:23.803{B364217D-6583-5FCE-0000-0010CD371900}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B364217D-61FC-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B364217D-62A5-5FCE-0000-00108BB20600}1360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000011135Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:25.974{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6585-5FCE-0000-0010AE3E1900}4544C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011134Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:25.958{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-654C-5FCE-0000-0010C6381700}4544C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011133Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:25.958{B364217D-6459-5FCE-0000-001094380800}43846804C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-654C-5FCE-0000-0010C6381700}4544C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x800000000000000011132Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:25.599{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6585-5FCE-0000-0010633A1900}872C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011131Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:25.599{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6585-5FCE-0000-0010633A1900}872C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011130Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:25.583{B364217D-6459-5FCE-0000-001094380800}43842508C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-6585-5FCE-0000-0010633A1900}872C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x800000000000000011129Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:25:25.146{B364217D-657A-5FCE-0000-001062231900}6860C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1acc-0\System.ServiceModel.dll2020-12-07 17:25:25.146 10341000x800000000000000011149Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:32.958{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-658C-5FCE-0000-00104E491900}3828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011148Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:32.942{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-658C-5FCE-0000-00104E491900}3828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011147Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:32.942{B364217D-6459-5FCE-0000-001094380800}43842508C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-658C-5FCE-0000-00104E491900}3828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x800000000000000011146Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:25:32.661{B364217D-6585-5FCE-0000-0010AE3E1900}4544C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\11c0-0\PresentationCore.dll2020-12-07 17:25:32.661 13241300x800000000000000011145Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:25:32.630{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000011144Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:25:32.630{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x000e03c4) 13241300x800000000000000011143Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:25:32.630{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6ccb5-0x95707b88) 13241300x800000000000000011142Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:25:32.630{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6ccbd-0xf734e388) 13241300x800000000000000011141Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:25:32.630{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6ccc6-0x58f94b88) 13241300x800000000000000011140Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:25:32.630{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000011139Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:25:32.630{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x000e03c4) 13241300x800000000000000011138Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:25:32.630{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6ccb5-0x955b1bbe) 13241300x800000000000000011137Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:25:32.630{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6ccbd-0xf71f83be) 13241300x800000000000000011136Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localSetValue2020-12-07 17:25:32.630{B364217D-61FC-5FCE-0000-001019540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6ccc6-0x58e3ebbe) 10341000x800000000000000011173Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:33.864{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011172Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:33.864{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011171Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:33.864{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011170Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:33.817{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011169Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:33.817{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011168Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:33.817{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011167Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:33.817{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001026C10200}3164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011166Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:33.802{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-658D-5FCE-0000-001095551900}7048C:\Windows\System32\InstallAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011165Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:33.802{B364217D-645F-5FCE-0000-0010EA600800}42163324C:\Windows\system32\csrss.exe{B364217D-658D-5FCE-0000-001095551900}7048C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011164Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:33.771{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-658D-5FCE-0000-001095551900}7048C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011163Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:33.771{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011162Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:33.771{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011161Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:33.771{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011160Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:33.771{B364217D-61FE-5FCE-0000-0010E0650000}6041228C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011159Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:33.771{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-658D-5FCE-0000-001095551900}7048C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011158Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:33.769{B364217D-658D-5FCE-0000-001095551900}7048C:\Windows\System32\InstallAgent.exe10.0.14393.3930 (rs1_release.200901-1914)InstallAgentMicrosoft® Windows® Operating SystemMicrosoft CorporationInstallAgent.exeC:\Windows\System32\InstallAgent.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{B364217D-6460-5FCE-0000-0020BD420900}0x942bd2HighMD5=A1BA1789A4ED6CDB5A0060984497C7D0,SHA256=EA073DFA2D2AC789F08DD1A91166FBFA6B90A92DC4091429ADC4F25DCFC3D1BC,IMPHASH=6303FC47B48DC01C8FC862BCA8D40657{B364217D-61FE-5FCE-0000-0010E0650000}604C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x800000000000000011157Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:33.724{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011156Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:33.724{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011155Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:33.724{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011154Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:33.724{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-620D-5FCE-0000-001082C10200}3172C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011153Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:33.724{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011152Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:33.364{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6571-5FCE-0000-001065E91800}1656C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011151Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:33.364{B364217D-61FC-5FCE-0000-0010ED420000}6401156C:\Windows\system32\csrss.exe{B364217D-6571-5FCE-0000-001065E91800}1656C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011150Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:33.364{B364217D-6459-5FCE-0000-001094380800}43846804C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-6571-5FCE-0000-001065E91800}1656C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x800000000000000011176Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:34.974{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011175Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:34.974{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00102EBA0000}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011174Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:34.161{B364217D-61FC-5FCE-0000-001019540000}8564172C:\Windows\system32\lsass.exe{B364217D-61FB-5FCE-0000-0010EB030000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000011179Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:35.083{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011178Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:35.083{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011177Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:35.083{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-61FE-5FCE-0000-00107DF00000}1564C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011183Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:43.942{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6597-5FCE-0000-00101D691900}3556C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011182Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:43.942{B364217D-61FC-5FCE-0000-0010ED420000}6402368C:\Windows\system32\csrss.exe{B364217D-6597-5FCE-0000-00101D691900}3556C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011181Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:43.942{B364217D-6459-5FCE-0000-001094380800}43842508C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-6597-5FCE-0000-00101D691900}3556C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x800000000000000011180Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:25:43.567{B364217D-658D-5FCE-0000-0010534E1900}1656C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\678-0\PresentationFramework.dll2020-12-07 17:25:43.567 10341000x800000000000000011193Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:44.489{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6577-5FCE-0000-001009091900}3852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011192Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:44.489{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6577-5FCE-0000-001009091900}3852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011191Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:44.489{B364217D-6459-5FCE-0000-001094380800}43842508C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-6577-5FCE-0000-001009091900}3852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x800000000000000011190Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:44.442{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6598-5FCE-0000-0010E7711900}7136C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011189Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:44.427{B364217D-61FC-5FCE-0000-0010ED420000}640764C:\Windows\system32\csrss.exe{B364217D-6598-5FCE-0000-0010E7711900}7136C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011188Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:44.427{B364217D-6459-5FCE-0000-001094380800}43842508C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-6598-5FCE-0000-0010E7711900}7136C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x800000000000000011187Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.localDLL2020-12-07 17:25:44.364{B364217D-6598-5FCE-0000-0010F06C1900}2852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\b24-0\PresentationFramework.Aero2.dll2020-12-07 17:25:44.364 10341000x800000000000000011186Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:44.052{B364217D-61FE-5FCE-0000-0010E0650000}604708C:\Windows\system32\svchost.exe{B364217D-6598-5FCE-0000-0010F06C1900}2852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011185Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:44.052{B364217D-61FC-5FCE-0000-0010ED420000}640656C:\Windows\system32\csrss.exe{B364217D-6598-5FCE-0000-0010F06C1900}2852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011184Microsoft-Windows-Sysmon/Operationalwin-dc-692.attackrange.local2020-12-07 17:25:44.052{B364217D-6459-5FCE-0000-001094380800}43846804C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{B364217D-6598-5FCE-0000-0010F06C1900}2852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64)